CVE-2021-21025

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the product layout updates. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.
References
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*
cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*
cpe:2.3:a:magento:magento:2.3.6:-:*:*:commerce:*:*:*
cpe:2.3:a:magento:magento:2.3.6:-:*:*:open_source:*:*:*
cpe:2.3:a:magento:magento:2.4.0:-:*:*:commerce:*:*:*
cpe:2.3:a:magento:magento:2.4.0:-:*:*:open_source:*:*:*
cpe:2.3:a:magento:magento:2.4.0:p1:*:*:commerce:*:*:*
cpe:2.3:a:magento:magento:2.4.0:p1:*:*:open_source:*:*:*
cpe:2.3:a:magento:magento:2.4.1:-:*:*:commerce:*:*:*
cpe:2.3:a:magento:magento:2.4.1:-:*:*:open_source:*:*:*

History

07 Nov 2023, 03:29

Type Values Removed Values Added
CVSS v2 : 6.5
v3 : 9.1
v2 : 6.5
v3 : unknown

Information

Published : 2021-02-11 20:15

Updated : 2024-02-28 18:08


NVD link : CVE-2021-21025

Mitre link : CVE-2021-21025

CVE.ORG link : CVE-2021-21025


JSON object : View

Products Affected

magento

  • magento
CWE
CWE-91

XML Injection (aka Blind XPath Injection)