Headline
CVE-2021-36022: Adobe Security Bulletin
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
Security Updates Available for Adobe Commerce | APSB21-64
Magento has released updates for Adobe Commerce and Magento Open Source editions. These updates resolve vulnerabilities rated critical and important. Successful exploitation could lead to arbitrary code execution.
Product
Version
Platform
Adobe Commerce
2.4.2 and earlier versions
All
2.4.2-p1 and earlier versions
All
2.3.7 and earlier versions
All
Magento Open Source
2.4.2-p1 and earlier versions
All
2.3.7 and earlier versions
All
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
Product
Updated Version
Platform
Priority Rating
Release Notes
Adobe Commerce
2.4.3
All
2
2.4.x release notes
2.3.x release notes
2.4.2-p2
All
2
2.3.7-p1
All
2
Magento Open Source
2.4.3
All
2
2.4.2-p2
All
2
2.3.7-p1
All
2
Vulnerability Category
Vulnerability Impact
Severity
Pre-authentication?
Admin privileges required?
CVSS base score
CVSS vector
Magento Bug ID
CVE numbers
Business Logic Errors (CWE-840)
Security feature bypass
Important
yes
no
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
PRODSECBUG-2934
CVE-2021-36012
Cross-site Scripting (Stored XSS) (CWE-79)
Arbitrary code execution
Important
no
no
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
PRODSECBUG-2963
PRODSECBUG-2964
CVE-2021-36026
CVE-2021-36027
Improper Access Control (CWE-284)
Arbitrary code execution
Critical
yes
yes
9.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
PRODSECBUG-2977
CVE-2021-36036
Improper Authorization (CWE-285)
Security feature bypass
Critical
yes
yes
9.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
PRODSECBUG-2968
CVE-2021-36029
Improper Authorization (CWE-285)
Security feature bypass
Important
no
no
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
PRODSECBUG-2980
CVE-2021-36037
Improper Input Validation (CWE-20)
Application denial-of-service
Critical
No
no
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
PRODSECBUG-3004
CVE-2021-36044
Improper Input Validation (CWE-20)
Privilege escalation
Critical
yes
no
8.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
PRODSECBUG-2971
CVE-2021-36032
Improper Input Validation (CWE-20)
Security feature bypass
Critical
no
no
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
PRODSECBUG-2969
CVE-2021-36030
Improper Input Validation (CWE-20)
Security feature bypass
Important
no
no
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
PRODSECBUG-2982
CVE-2021-36038
Improper Input Validation (CWE-20)
Arbitrary code execution
Critical
yes
yes
9.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
PRODSECBUG-2959
PRODSECBUG-2960
PRODSECBUG-2962
PRODSECBUG-2975
PRODSECBUG-2976
PRODSECBUG-2987
PRODSECBUG-2988
PRODSECBUG-2992
CVE-2021-36021
CVE-2021-36024
CVE-2021-36025
CVE-2021-36034
CVE-2021-36035
CVE-2021-36040
CVE-2021-36041
CVE-2021-36042
Path Traversal
(CWE-22)
Arbitrary code execution
Critical
yes
yes
7.2
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
PRODSECBUG-2970
CVE-2021-36031
OS Command Injection (CWE-78)
Arbitrary code execution
Critical
yes
yes
9.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
PRODSECBUG-2958
PRODSECBUG-2960
CVE-2021-36022
CVE-2021-36023
Incorrect Authorization (CWE-863)
Arbitrary file system read
Important
yes
no
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
PRODSECBUG-2984
CVE-2021-36039
Server-Side Request Forgery (SSRF)
(CWE-918)
Arbitrary code execution
Critical
yes
yes
8
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
PRODSECBUG-2996
CVE-2021-36043
XML Injection
(aka Blind XPath Injection) (CWE-91)
Arbitrary code execution
Critical
no
no
8.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
PRODSECBUG-2937
CVE-2021-36020
XML Injection
(aka Blind XPath Injection) (CWE-91)
Arbitrary code execution
Critical
yes
yes
9.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
PRODSECBUG-2965
PRODSECBUG-2972
CVE-2021-36028
CVE-2021-36033
Pre-authentication: The vulnerability is exploitable without credentials.
Admin privileges required: The vulnerability is only exploitable by an attacker with administrative privileges.
Adobe would like to thank the following individuals for reporting the relevant issues and for working with Adobe to help protect our customers:
- Blaklis (CVE-2021-36023, CVE-2021-36026, CVE-2021-36027, CVE-2021-36036, CVE-2021-36029, CVE-2021-36021, CVE-2021-36024, CVE-2021-36025, CVE-2021-36034, CVE-2021-36035, CVE-2021-36031)
- Igorsdv (CVE-2021-36012)
- Zb3 (CVE-2021-36037, CVE-2021-36032, CVE-2021-36038, CVE-2021-36040, CVE-2021-36041, CVE-2021-36042, CVE-2021-36039, CVE-2021-36043, CVE-2021-36033, CVE-2021-36028)
- Dftrace (CVE-2021-36044)
- Floorz (CVE-2021-36030)
- Eboda (CVE-2021-36022)
- Trivani Pant on behalf of Broadway Photo Supply Limited (CVE-2021-36020)
August 13, 2021: Updated Magento/Magento commerce with Adobe Commerce.
For more information, visit https://helpx.adobe.com/security.html, or email [email protected].