CVSS: 8.3EPSS: 0%CPEs: 10EXPL: 0CVE-2021-36036 – Magento Commerce Media Gallery Upload Improper Access Control Could Lead To Remote Code Execution
https://notcve.org/view.php?id=CVE-2021-36036
06 Sep 2023 — Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted file in the website gallery, an authenticated attacker with administrative privilege can gain access to delete the .htaccess file. This could result in the attacker achieving remote code execution. Las versiones 2.4.2 (y anteriores), 2.4.2-p1 (y anteriores) y 2.3.7 (y anteriores) de Magento... • https://helpx.adobe.com/security/products/magento/apsb21-64.html • CWE-284: Improper Access Control •
CVSS: 8.3EPSS: 0%CPEs: 10EXPL: 0CVE-2021-36021 – Magento Commerce CMS Page Improper Input Validation Could Lead To Remote Code Execution
https://notcve.org/view.php?id=CVE-2021-36021
06 Sep 2023 — Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper input validation vulnerability within the CMS page scheduled update feature. An authenticated attacker with administrative privilege could leverage this vulnerability to achieve remote code execution on the system. Las versiones 2.4.2 (y anteriores), 2.4.2-p1 (y anteriores) y 2.3.7 (y anteriores) de Magento están afectadas por una vulnerabilidad de validación de entrada Incorrecta dentro de la fu... • https://helpx.adobe.com/security/products/magento/apsb21-64.html • CWE-20: Improper Input Validation •
CVSS: 9.1EPSS: 1%CPEs: 10EXPL: 0CVE-2021-36023 – Magento Commerce Widgets Update Layout XML Injection Vulnerability Could Lead To Remote Code Execution
https://notcve.org/view.php?id=CVE-2021-36023
06 Sep 2023 — Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution. Las versiones 2.4.2 (y anteriores), 2.4.2-p1 (y anteriores) y 2.3.7 (y anteriores) de Magento Commerce están afectadas por una vulnerabilidad de inyección XML en el diseño de actualización de widgets. Un atacante con privilegios de ad... • https://helpx.adobe.com/security/products/magento/apsb21-64.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 20EXPL: 0CVE-2022-42344 – [CVE-2021-36032] Magento IDOR Leads to Account Takeover
https://notcve.org/view.php?id=CVE-2022-42344
20 Oct 2022 — Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Incorrect Authorization vulnerability. An authenticated attacker can exploit this vulnerability to achieve information exposure and privilege escalation. Adobe Commerce versiones 2.4.3-p2 (y anteriores), 2.3.7-p3 (y anteriores) y 2.4.4 (y anteriores) están afectadas por una vulnerabilidad de comprobación de entrada inapropiada. Un atacante autenticado puede desencadenar una referencia de objeto ... • https://helpx.adobe.com/security/products/magento/apsb22-38.html • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 20EXPL: 0CVE-2022-34259 – Adobe Commerce Improper Access Control Security feature bypass
https://notcve.org/view.php?id=CVE-2022-34259
16 Aug 2022 — Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the availability of a user's minor feature. Exploitation of this issue does not require user interaction. Adobe Commerce versiones 2.4.3-p2 (y anteriores), 2.3.7-p3 (y anteriores) y 2.4.4 (y anteriores) están afectadas por una vulnerabilidad de Control de ... • https://helpx.adobe.com/security/products/magento/apsb22-38.html • CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 20EXPL: 0CVE-2022-34257 – Adobe Commerce Stored XSS Arbitrary code execution
https://notcve.org/view.php?id=CVE-2022-34257
16 Aug 2022 — Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Adobe Commerce versiones 2.4.3-p2 (y anteriores), 2.3.7-p3 (y anteriores) y 2.4.4 (y anteriores) están afectadas por una vulnerabilidad d... • https://helpx.adobe.com/security/products/magento/apsb22-38.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 20%CPEs: 20EXPL: 0CVE-2022-34253 – Adobe Commerce XML Injection Arbitrary code execution
https://notcve.org/view.php?id=CVE-2022-34253
16 Aug 2022 — Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution. Exploitation of this issue does not require user interaction. Adobe Commerce versiones 2.4.3-p2 (y anteriores), 2.3.7-p3 (y anteriores) y 2.4.4 (y anteriores) están afectadas por una vulnerabilidad de inyección XML en el módulo de widgets. ... • https://helpx.adobe.com/security/products/magento/apsb22-38.html • CWE-91: XML Injection (aka Blind XPath Injection) •
CVSS: 9.0EPSS: 0%CPEs: 20EXPL: 0CVE-2022-34255 – Adobe Commerce Improper Access Control Privilege escalation
https://notcve.org/view.php?id=CVE-2022-34255
16 Aug 2022 — Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in Privilege escalation. An attacker with a low privilege account could leverage this vulnerability to perform an account takeover for a victim. Exploitation of this issue does not require user interaction. Adobe Commerce versiones 2.4.3-p2 (y anteriores), 2.3.7-p3 (y anteriores) y 2.4.4 (y anteriores) están afectadas por una vulnerabilidad... • https://helpx.adobe.com/security/products/magento/apsb22-38.html • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 9.0EPSS: 0%CPEs: 20EXPL: 0CVE-2022-34254 – Adobe Commerce Improper Limitation of a Pathname to a Restricted Directory Arbitrary code execution
https://notcve.org/view.php?id=CVE-2022-34254
16 Aug 2022 — Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could be abused by an attacker to inject malicious scripts into the vulnerable endpoint. A low privileged attacker could leverage this vulnerability to read local files and to perform Stored XSS. Exploitation of this issue does not require user interaction. Adobe Commerce versiones 2.4.3-p2 (y anter... • https://helpx.adobe.com/security/products/magento/apsb22-38.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 20EXPL: 0CVE-2022-34256 – Adobe Commerce Improper Authorization Privilege escalation
https://notcve.org/view.php?id=CVE-2022-34256
16 Aug 2022 — Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to access other user's data. Exploitation of this issue does not require user interaction. Adobe Commerce versiones 2.4.3-p2 (y anteriores), 2.3.7-p3 (y anteriores) y 2.4.4 (y anteriores) están afectadas por una vulnerabilidad de Autorización Inapropiada que podría result... • https://helpx.adobe.com/security/products/magento/apsb22-38.html • CWE-285: Improper Authorization •