CVE-2021-36038
published 2021-09-01CVE-2021-36038: Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the…
PriorityP335medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
1.79%
75.6th percentile
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the Multishipping Module. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | adobe_commerce | — | — |
| adobe | adobe_commerce | 2.3.0 – 2.3.7 | — |
| adobe | adobe_commerce | 2.4.0 – 2.4.2 | — |
| adobe | magento_commerce | unspecified – 2.4.2 | — |
| adobe | magento_open_source | — | — |
| adobe | magento_open_source | 2.3.0 – 2.3.7 | — |
| adobe | magento_open_source | 2.4.0 – 2.4.2 | — |
| magento | community-edition | >= 0 < 2.3.7-p1 | 2.3.7-p1 |
| magento | community-edition | >= 2.4.2-p1 < 2.4.2-p2 | 2.4.2-p2 |
| magento | project-community-edition | 0 – 2.0.2 | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Magento discloses sensitive information via the Multishipping Module
osv·2022-05-24
CVE-2021-36038 [MEDIUM] Magento discloses sensitive information via the Multishipping Module
Magento discloses sensitive information via the Multishipping Module
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the Multishipping Module. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure.
GHSA
Magento discloses sensitive information via the Multishipping Module
ghsa·2022-05-24
CVE-2021-36038 [MEDIUM] CWE-20 Magento discloses sensitive information via the Multishipping Module
Magento discloses sensitive information via the Multishipping Module
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the Multishipping Module. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-09-01
Published