CVE-2021-36023
published 2023-09-06CVE-2021-36023: Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets…
PriorityP348high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
2.29%
81.1th percentile
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | adobe_commerce | <= 2.3.7 | — |
| magento | community-edition | >= 0 < 2.3.7-p1 | 2.3.7-p1 |
| magento | community-edition | >= 2.4.2-p1 < 2.4.2-p2 | 2.4.2-p2 |
| magento | magento | < 2.3.7 | 2.3.7 |
| magento | magento | — | — |
| magento | magento | — | — |
| magento | magento | >= 2.4.0 < 2.4.2 | 2.4.2 |
| magento | project-community-edition | 0 – 2.0.2 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Magento XML Injection vulnerability in the Widgets Update Layout
osv·2023-09-06
CVE-2021-36023 [CRITICAL] Magento XML Injection vulnerability in the Widgets Update Layout
Magento XML Injection vulnerability in the Widgets Update Layout
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
GHSA
Magento XML Injection vulnerability in the Widgets Update Layout
ghsa·2023-09-06
CVE-2021-36023 [CRITICAL] CWE-78 Magento XML Injection vulnerability in the Widgets Update Layout
Magento XML Injection vulnerability in the Widgets Update Layout
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-09-06
Published