cbcvebase.
CVE-2021-36023
published 2023-09-06

CVE-2021-36023: Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets…

PriorityP348high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
2.29%
81.1th percentile
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.

Affected

8 ranges
VendorProductVersion rangeFixed in
adobeadobe_commerce<= 2.3.7
magentocommunity-edition>= 0 < 2.3.7-p12.3.7-p1
magentocommunity-edition>= 2.4.2-p1 < 2.4.2-p22.4.2-p2
magentomagento< 2.3.72.3.7
magentomagento
magentomagento
magentomagento>= 2.4.0 < 2.4.22.4.2
magentoproject-community-edition0 – 2.0.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.