Magento Project-Community-Edition vulnerabilities

CVE-2024-20758 [HIGH] CWE-20 Magento Open Source allows Improper Input Validation Magento Open Source allows Improper Input Validation Adobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction, but the attack complexity is high.

CVE-2024-20759 [MEDIUM] CWE-79 Magento Open Source allows Cross-Site Scripting (XSS) Magento Open Source allows Cross-Site Scripting (XSS) Adobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulne

CVE-2024-20719 [HIGH] CWE-79 Magento Open Source allows Cross-Site Scripting (XSS) Magento Open Source allows Cross-Site Scripting (XSS) Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin attacker to inject malicious scripts into every admin page. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field, that could be lev

CVE-2024-20720 [HIGH] CWE-78 Magento Open Source allows OS Command Injection Magento Open Source allows OS Command Injection Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction.

CVE-2024-20716 [MEDIUM] CWE-400 Magento Open Source allows Uncontrolled Resource Consumption Magento Open Source allows Uncontrolled Resource Consumption Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to an application denial-of-service. A high-privileged attacker could leverage this vulnerability to exhaust system resources, causing the application to slow down or crash. Exploitation of this is

CVE-2024-20718 [MEDIUM] CWE-352 Magento Open Source allows Cross-Site Request Forgery (CSRF) Magento Open Source allows Cross-Site Request Forgery (CSRF) Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to trick a victim into performing actions they did not intend to do, which could be used to bypass security measures and

CVE-2023-26367 [MEDIUM] CWE-20 Magento Open Source has Improper Input Validation Vulnerability Magento Open Source has Improper Input Validation Vulnerability Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction.

CVE-2023-38251 [MEDIUM] CWE-400 Magento Open Source allows Uncontrolled Resource Consumption Magento Open Source allows Uncontrolled Resource Consumption Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Uncontrolled Resource Consumption vulnerability that could lead into a minor application denial-of-service. Exploitation of this issue does not require user interaction.

CVE-2023-38218 [MEDIUM] CWE-20 Magento Open Source allows Incorrect Authorization Magento Open Source allows Incorrect Authorization Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation.

CVE-2023-38249 [MEDIUM] CWE-89 Magento Open Source allows SQL Injection Magento Open Source allows SQL Injection Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user inte

CVE-2023-38221 [MEDIUM] CWE-89 Magento Open Source allows SQL Injection Magento Open Source allows SQL Injection Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user inte

CVE-2023-38220 [MEDIUM] CWE-285 Magento Open Source allows Improper Authorization Magento Open Source allows Improper Authorization Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Authorization vulnerability that could lead in a security feature bypass in a way that an attacker could access unauthorised data. Exploitation of this issue does not require user interaction.

CVE-2023-26366 [MEDIUM] CWE-918 Magento Open Source allows Server-Side Request Forgery (SSRF) Magento Open Source allows Server-Side Request Forgery (SSRF) Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A high-privileged authenticated attacker can force the application to make arbitrary requests via inject

CVE-2023-38250 [MEDIUM] CWE-89 Magento Open Source allows SQL Injection Magento Open Source allows SQL Injection Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user inte

CVE-2023-38219 [LOW] CWE-79 Magento Open Source allows Cross-Site Scripting (XSS) Magento Open Source allows Cross-Site Scripting (XSS) Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when t

CVE-2022-24093 [MEDIUM] CWE-20 Magento Open Source affected by Improper Input Validation Magento Open Source affected by Improper Input Validation Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability. Exploitation of this issue does not require user interaction and could result in a post-authentication arbitrary code execution.

CVE-2021-36023 [CRITICAL] CWE-78 Magento XML Injection vulnerability in the Widgets Update Layout Magento XML Injection vulnerability in the Widgets Update Layout Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.

CVE-2021-36021 [CRITICAL] CWE-20 Magento affected by remote code execution vulnerability in the CMS page scheduled update feature Magento affected by remote code execution vulnerability in the CMS page scheduled update feature Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper input validation vulnerability within the CMS page scheduled update feature. An authenticated attacker with administrative privilege could leverage this vulner

CVE-2021-36036 [CRITICAL] CWE-284 Magento improper access control vulnerability within Magento's Media Gallery Upload workflow Magento improper access control vulnerability within Magento's Media Gallery Upload workflow Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted file in the website gallery, an authenticated attacker wit

CVE-2023-38208 [HIGH] CWE-78 Magento Open Source allows Improper Neutralization of Special Elements Used Magento Open Source allows Improper Neutralization of Special Elements Used Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead to arbitrary code execution by an admin-privilege authenticated attacker. Exploi