Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-21013: Adobe Security Bulletin

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the customer API module. Successful exploitation could lead to sensitive information disclosure and update arbitrary information on another user’s account.

CVE
#sql#vulnerability#java

Security Updates Available for Magento | APSB21-08

Bulletin ID

Date Published

Priority

ASPB21-08

February 09, 2021

2

Magento has released updates for Magento Commerce and Magento Open Source editions. These updates resolve vulnerabilities rated important and critical. Successful exploitation could lead to arbitrary code execution.

Product

Version

Platform

Magento Commerce

2.4.1 and earlier versions

All

2.4.0-p1 and earlier versions

All

2.3.6 and earlier versions

All

Magento Open Source

2.4.1 and earlier versions

All

2.4.0-p1 and earlier versions

All

2.3.6 and earlier versions

All

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product

Updated Version

Platform

Priority Rating

Release Notes

Magento Commerce

2.4.2

All

2

2.4.x release notes

2.3.x release notes

2.4.1-p1

All

2

2.3.6-p1

All

2

Magento Open Source

2.4.2

All

2

2.4.1-p1

All

2

2.3.6-p1

All

2

Vulnerability Category

Vulnerability Impact

Severity

Pre-authentication?

Admin privileges required?

Magento Bug ID

CVE numbers

Insecure Direct Object Reference (IDOR)

Unauthorized access to restricted resources

Important

No

No

PRODSECBUG-2812

CVE-2021-21012

Insecure Direct Object Reference (IDOR)

Unauthorized access to restricted resources

Important

No

No

PRODSECBUG-2815

CVE-2021-21013

File Upload Allow List Bypass

Arbitrary code execution

Critical

No

Yes

PRODSECBUG-2820

CVE-2021-21014

Security bypass

Arbitrary code execution

Critical

No

Yes

PRODSECBUG-2830

CVE-2021-21015

Security bypass

Arbitrary code execution

Critical

No

Yes

PRODSECBUG-2835

CVE-2021-21016

Command injection

Arbitrary code execution

Critical

No

Yes

PRODSECBUG-2845

CVE-2021-21018

XML injection

Arbitrary code execution

Critical

No

Yes

PRODSECBUG-2847

CVE-2021-21019

Access control bypass

Unauthorized access to restricted resources

Important

No

No

PRODSECBUG-2849

CVE-2021-21020

Insecure Direct Object Reference (IDOR)

Unauthorized access to restricted resources

Important

Yes

No

PRODSECBUG-2863

CVE-2021-21022

Cross-site scripting (Stored)

Arbitrary JavaScript execution in the browser

Important

No

Yes

PRODSECBUG-2893

CVE-2021-21023

Blind SQL injection

Unauthorized access to restricted resources

Important

No

Yes

PRODSECBUG-2896

CVE-2021-21024

Security bypass

Arbitrary code execution

Critical

No

Yes

PRODSECBUG-2900

CVE-2021-21025

Improper Authorization

Unauthorized access to restricted resources

Important

No

Yes

PRODSECBUG-2902

CVE-2021-21026

Cross-site request forgery

Unauthorized modification of customer metadata

Moderate

No

No

PRODSECBUG-2903

CVE-2021-21027

Cross-site scripting (reflected)

Arbitrary JavaScript execution in the browser

Important

Yes

No

PRODSECBUG-2907

CVE-2021-21029

Cross-site scripting (Stored)

Arbitrary JavaScript execution in the browser

Critical

Yes

No

PRODSECBUG-2912

CVE-2021-21030

Insufficient Invalidation of User Session

Unauthorized access to restricted resources

Important

No

No

PRODSECBUG-2914

CVE-2021-21031

Insufficient Invalidation of User Session

Unauthorized access to restricted resources

Important

No

No

MC-36608

CVE-2021-21032

Note:

Pre-authentication: The vulnerability is exploitable without credentials.

Admin privileges required: The vulnerability is only exploitable by an attacker with administrative privileges.

Additional technical descriptions of the CVEs referenced in this document will be made available on MITRE and NVD sites.

Dependency

Vulnerability Impact

Affected Versions

Angular

Prototype Pollution

2.4.2, 2.4.1-p1, 2.3.6-p1

Adobe would like to thank the following individuals for reporting the relevant issues and for working with Adobe to help protect our customers:

  • Malerisch (CVE-2021-21012)
  • Niels Pijpers (CVE-2021-21013)
  • Blaklis (CVE-2021-21014, CVE-2021-21018, CVE-2021-21030)
  • Kien Hoang (hoangkien1020) (CVE-2021-21014)
  • Edgar Boda-Majer of Bugscale (CVE-2021-21015, CVE-2021-21016, CVE-2021-21022)
  • Kien Hoang (CVE-2021-21020)
  • bobbytabl35_ (CVE-2021-21023)
  • Wohlie (CVE-2021-21024)
  • Peter O’Callaghan (CVE-2021-21025)
  • Kiên Ka Lư (CVE-2021-21026)
  • Lachlan Davidson (CVE-2021-21027)
  • Natsasit Jirathammanuwat (Office Thailand) working with SEC Consult Vulnerability Lab (CVE-2021-21029)
  • Anas (CVE-2021-21031)

February 09, 2021: Updated acknowledgement details about CVE-2021-21014.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907