Magento Community-Edition vulnerabilities

CVE-2021-28585 [MEDIUM] CWE-20 Magento Improper input validation vulnerability Magento Improper input validation vulnerability Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper input validation vulnerability in the New customer WebAPI.Successful exploitation could allow an attacker to send unsolicited spam e-mails.

CVE-2020-24402 [MEDIUM] CWE-276 Magento incorrect permissions vulnerability in the Integrations component Magento incorrect permissions vulnerability in the Integrations component Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorization.

CVE-2020-24403 [LOW] CWE-285 Magento incorrect user permissions vulnerability within the Inventory component Magento incorrect user permissions vulnerability within the Inventory component Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the REST API.

CVE-2021-28566 [LOW] CWE-200 Magento Information Disclosure vulnerability Magento Information Disclosure vulnerability Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Information Disclosure vulnerability when uploading a modified png file to a product image. Successful exploitation could lead to the disclosure of document root path by an unauthenticated attacker. Access to the admin console is required for successful exploitation.

CVE-2020-24404 [LOW] CWE-285 Magento 2 Community Edition vulnerable to Improper Authorization Magento 2 Community Edition vulnerable to Improper Authorization Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization.

CVE-2020-24406 [LOW] CWE-200 Magento information disclosure vulnerability Magento information disclosure vulnerability When in maintenance mode, Magento version 2.4.0 and 2.3.4 (and earlier) are affected by an information disclosure vulnerability that could expose the installation path during build deployments. This information could be helpful to attackers if they are able to identify other exploitable vulnerabilities in the environment.

CVE-2018-5301 [MEDIUM] CWE-352 Magento Cross-Site Request Forgery (CSRF) Magento Cross-Site Request Forgery (CSRF) Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have CSRF resulting in deletion of a customer address from an address book, aka APPSEC-1433.

CVE-2022-24086 [CRITICAL] CWE-20 Magento improper input validation vulnerability Magento improper input validation vulnerability Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.

CVE-2016-6485 [HIGH] CWE-327 Unauthenticated crypto and weak IV in Magento\Framework\Encryption Unauthenticated crypto and weak IV in Magento\Framework\Encryption The __construct function in Framework/Encryption/Crypt.php in Magento 2 uses the PHP rand function to generate a random number for the initialization vector, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by guessing the value.

CVE-2019-8135 [CRITICAL] CWE-74 Remote code execution via vulnerable Symphony dependecy injection Remote code execution via vulnerable Symphony dependecy injection A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Dependency injection through Symphony framework allows service identifiers to be derived from user controlled data, which can lead to remote code execution. As per [the Magento Release 2.3.3](https://web.archive.org/we

CVE-2019-8121 [HIGH] Using JS libraries with known security vulnerabilities Using JS libraries with known security vulnerabilities An insecure component vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Magento 2 codebase leveraged outdated versions of JS libraries (Bootstrap, jquery, Knockout) with known security vulnerabilities.

CVE-2019-8233 [MEDIUM] CWE-79 Composer JavaScript injection possible via html comments Composer JavaScript injection possible via html comments In Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an unauthenticated user can inject arbitrary JavaScript code as a result of the sanitization engine ignoring HTML comments.

CVE-2019-8133 [MEDIUM] Bypass of sitemp access restrictions Bypass of sitemp access restrictions A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with privileges to generate sitemaps can bypass configuration that restricts directory access. The bypass allows overwrite of a subset of configuration files which can lead to denial of service. As per [the Magento Release 2.3.3](https://web.archive.org/web/20201126132230/https://de

CVE-2019-8126 [MEDIUM] CWE-611 Information disclosure through processing of external XML entities Information disclosure through processing of external XML entities An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to informatio

CVE-2019-8145 [MEDIUM] CWE-79 Magento Cross-Site Scripting via Attribute Set Name Magento Cross-Site Scripting via Attribute Set Name A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into the attribute set name when listing the products.