Headline
CVE-2021-21013: Adobe Security Bulletin
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the customer API module. Successful exploitation could lead to sensitive information disclosure and update arbitrary information on another user’s account.
Security Updates Available for Magento | APSB21-08
Bulletin ID
Date Published
Priority
ASPB21-08
February 09, 2021
2
Magento has released updates for Magento Commerce and Magento Open Source editions. These updates resolve vulnerabilities rated important and critical. Successful exploitation could lead to arbitrary code execution.
Product
Version
Platform
Magento Commerce
2.4.1 and earlier versions
All
2.4.0-p1 and earlier versions
All
2.3.6 and earlier versions
All
Magento Open Source
2.4.1 and earlier versions
All
2.4.0-p1 and earlier versions
All
2.3.6 and earlier versions
All
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
Product
Updated Version
Platform
Priority Rating
Release Notes
Magento Commerce
2.4.2
All
2
2.4.x release notes
2.3.x release notes
2.4.1-p1
All
2
2.3.6-p1
All
2
Magento Open Source
2.4.2
All
2
2.4.1-p1
All
2
2.3.6-p1
All
2
Vulnerability Category
Vulnerability Impact
Severity
Pre-authentication?
Admin privileges required?
Magento Bug ID
CVE numbers
Insecure Direct Object Reference (IDOR)
Unauthorized access to restricted resources
Important
No
No
PRODSECBUG-2812
CVE-2021-21012
Insecure Direct Object Reference (IDOR)
Unauthorized access to restricted resources
Important
No
No
PRODSECBUG-2815
CVE-2021-21013
File Upload Allow List Bypass
Arbitrary code execution
Critical
No
Yes
PRODSECBUG-2820
CVE-2021-21014
Security bypass
Arbitrary code execution
Critical
No
Yes
PRODSECBUG-2830
CVE-2021-21015
Security bypass
Arbitrary code execution
Critical
No
Yes
PRODSECBUG-2835
CVE-2021-21016
Command injection
Arbitrary code execution
Critical
No
Yes
PRODSECBUG-2845
CVE-2021-21018
XML injection
Arbitrary code execution
Critical
No
Yes
PRODSECBUG-2847
CVE-2021-21019
Access control bypass
Unauthorized access to restricted resources
Important
No
No
PRODSECBUG-2849
CVE-2021-21020
Insecure Direct Object Reference (IDOR)
Unauthorized access to restricted resources
Important
Yes
No
PRODSECBUG-2863
CVE-2021-21022
Cross-site scripting (Stored)
Arbitrary JavaScript execution in the browser
Important
No
Yes
PRODSECBUG-2893
CVE-2021-21023
Blind SQL injection
Unauthorized access to restricted resources
Important
No
Yes
PRODSECBUG-2896
CVE-2021-21024
Security bypass
Arbitrary code execution
Critical
No
Yes
PRODSECBUG-2900
CVE-2021-21025
Improper Authorization
Unauthorized access to restricted resources
Important
No
Yes
PRODSECBUG-2902
CVE-2021-21026
Cross-site request forgery
Unauthorized modification of customer metadata
Moderate
No
No
PRODSECBUG-2903
CVE-2021-21027
Cross-site scripting (reflected)
Arbitrary JavaScript execution in the browser
Important
Yes
No
PRODSECBUG-2907
CVE-2021-21029
Cross-site scripting (Stored)
Arbitrary JavaScript execution in the browser
Critical
Yes
No
PRODSECBUG-2912
CVE-2021-21030
Insufficient Invalidation of User Session
Unauthorized access to restricted resources
Important
No
No
PRODSECBUG-2914
CVE-2021-21031
Insufficient Invalidation of User Session
Unauthorized access to restricted resources
Important
No
No
MC-36608
CVE-2021-21032
Note:
Pre-authentication: The vulnerability is exploitable without credentials.
Admin privileges required: The vulnerability is only exploitable by an attacker with administrative privileges.
Additional technical descriptions of the CVEs referenced in this document will be made available on MITRE and NVD sites.
Dependency
Vulnerability Impact
Affected Versions
Angular
Prototype Pollution
2.4.2, 2.4.1-p1, 2.3.6-p1
Adobe would like to thank the following individuals for reporting the relevant issues and for working with Adobe to help protect our customers:
- Malerisch (CVE-2021-21012)
- Niels Pijpers (CVE-2021-21013)
- Blaklis (CVE-2021-21014, CVE-2021-21018, CVE-2021-21030)
- Kien Hoang (hoangkien1020) (CVE-2021-21014)
- Edgar Boda-Majer of Bugscale (CVE-2021-21015, CVE-2021-21016, CVE-2021-21022)
- Kien Hoang (CVE-2021-21020)
- bobbytabl35_ (CVE-2021-21023)
- Wohlie (CVE-2021-21024)
- Peter O’Callaghan (CVE-2021-21025)
- Kiên Ka Lư (CVE-2021-21026)
- Lachlan Davidson (CVE-2021-21027)
- Natsasit Jirathammanuwat (Office Thailand) working with SEC Consult Vulnerability Lab (CVE-2021-21029)
- Anas (CVE-2021-21031)
February 09, 2021: Updated acknowledgement details about CVE-2021-21014.