Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the product layout updates. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.
References
Link | Resource |
---|---|
https://helpx.adobe.com/security/products/magento/apsb21-08.html | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
07 Nov 2023, 03:29
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 6.5
v3 : unknown |
Information
Published : 2021-02-11 20:15
Updated : 2024-02-28 18:08
NVD link : CVE-2021-21025
Mitre link : CVE-2021-21025
CVE.ORG link : CVE-2021-21025
JSON object : View
Products Affected
magento
- magento
CWE
CWE-91
XML Injection (aka Blind XPath Injection)