CVE-2021-21024 — SQL Injection in Magento

CWE-89 — SQL Injection5 documents4 sources

Severity

9.1CRITICALNVD

EPSS

2.8%

top 13.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Magento Magento Community-edition Adobe Magento Commerce +1 more

Timeline

PublishedFeb 11

Latest updateMay 24

Description

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a blind SQL injection vulnerability in the Search module. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required for successful exploitation.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages4 packages

▶NVDmagento/magento< 2.3.6+3

▶Packagistmagento/community-edition2.4.0 — 2.4.1-p1+1

▶CVEListV5openmage/magento-lts19.4.12

▶CVEListV5adobe/magento_commerceunspecified — 2.4.1+3

🔴Vulnerability Details

OSV

Magento Blind SQL Injection in the Search module↗2022-05-24

▶

GHSA

Magento Blind SQL Injection in the Search module↗2022-05-24

▶

GHSA

Backport for CVE-2021-21024 Blind SQLi from Magento 2↗2021-04-22

▶

CVEList

Magento Commerce Blind SQL Injection Could Lead To Unauthorized Access↗2021-02-11

▶