Headline
CVE-2021-28563: Adobe Security Bulletin
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper Authorization vulnerability via the ‘Create Customer’ endpoint. Successful exploitation could lead to unauthorized modification of customer data by an unauthenticated attacker. Access to the admin console is required for successful exploitation.
Security Updates Available for Magento | APSB21-30
Bulletin ID
Date Published
Priority
ASPB21-30
May 11, 2021
2
Summary
Successful exploitation could lead to unauthorized access to restricted resources. Magento has released updates for Magento Commerce and Magento Open Source editions. These updates resolve vulnerabilities rated important and moderate. Successful exploitation could lead to arbitrary code execution.
Affected Versions
Product
Version
Platform
Magento Commerce
2.4.2 and earlier versions
All
2.4.1-p1 and earlier versions
All
2.3.6-p1 and earlier versions
All
Magento Open Source
2.4.2 and earlier versions
All
2.4.1-p1 and earlier versions
All
2.3.6-p1 and earlier versions
All
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
Product
Updated Version
Platform
Priority Rating
Release Notes
Magento Commerce
2.4.2-p1
All
2
2.4.x release notes
2.3.x release notes
2.3.7
All
2
Magento Open Source
2.4.2-p1
All
2
2.3.7
All
2
Vulnerability details
Vulnerability Category
Vulnerability Impact
Severity
Pre-authentication?
Admin privileges required?
Magento Bug ID
CVE numbers
Information Disclosure
Disclosure of document root path
Moderate
No
Yes
PRODSECBUG-2927
CVE-2021-28566
Incorrect Authorization
Unauthorized modification of customer data
Moderate
No
Yes
PRODSECBUG-2931
CVE-2021-28567
Cross-site scripting (DOM-based)
Arbitrary JavaScript execution in the browser
Important
Yes
No
PRODSECBUG-2918
CVE-2021-28556
Improper Authorization
Unauthorized access to restricted resources
Moderate
No
Yes
PRODSECBUG-2935
CVE-2021-28563
Violation of Secure Design Principles
Unauthorized access to restricted resources
Moderate
No
Yes
PRODSECBUG-2943
CVE-2021-28583
Path traversal
Arbitrary file system write
Moderate
No
Yes
PRODSECBUG-2957
CVE-2021-28584
Improper Input Validation
Security feature bypass
Moderate
No
No
MC-39885
CVE-2021-28585
Pre-authentication: The vulnerability is exploitable without credentials.
Admin privileges required: The vulnerability is only exploitable by an attacker with administrative privileges.
Additional technical descriptions of the CVEs referenced in this document will be made available on MITRE and NVD sites.
Acknowledgments
Adobe would like to thank the following individuals for reporting the relevant issues and for working with Adobe to help protect our customers:
- Kien Hoang (CVE-2021-28567)
- Nuswantara Gading Alfa Putranto - Ethic Ninja (https://ethic.ninja) (CVE-2021-28566)
- Charybdis (CVE-2021-28556)
- Rutger Rademaker & Igor Wulff - Youwe (CVE-2021-28583)
- Matt Cardwell - Cognisys, Inc. (CVE-2021-28584)