Magento Project-Community-Edition vulnerabilities

CVE-2020-9631 [CRITICAL] Magento security mitigation bypass vulnerability Magento security mitigation bypass vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.

CVE-2021-21014 [CRITICAL] CWE-434 Magento vulnerable to a file upload restriction bypass Magento vulnerable to a file upload restriction bypass Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

CVE-2020-9578 [CRITICAL] CWE-78 Magento command injection vulnerability Magento command injection vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.

CVE-2021-36040 [CRITICAL] CWE-20 Magento has a file extension restrictions bypass Magento has a file extension restrictions bypass Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to bypass file extension restrictions and could lead to remote code execution.

CVE-2020-9691 [CRITICAL] CWE-79 Magento DOM-based Cross-site scripting vulnerability Magento DOM-based Cross-site scripting vulnerability Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a dom-based cross-site scripting vulnerability. Successful exploitation could lead to arbitrary code execution.

CVE-2020-9630 [CRITICAL] CWE-269 Magento business logic error vulnerability Magento business logic error vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a business logic error vulnerability. Successful exploitation could lead to privilege escalation.

CVE-2021-21016 [CRITICAL] CWE-78 Magento OS command injection via the WebAPI Magento OS command injection via the WebAPI Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to OS command injection via the WebAPI. Successful exploitation could lead to remote code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

CVE-2020-9576 [CRITICAL] CWE-78 Magento command injection vulnerability Magento command injection vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.

CVE-2020-9632 [CRITICAL] Magento security mitigation bypass vulnerability Magento security mitigation bypass vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.

CVE-2021-36028 [CRITICAL] CWE-91 Magento has an XML Injection vulnerability Magento has an XML Injection vulnerability Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability when saving a configurable product. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.

CVE-2021-36025 [CRITICAL] CWE-20 Magento is affected by an improper input validation vulnerability while saving a customer's details Magento is affected by an improper input validation vulnerability while saving a customer's details Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability while saving a customer's details with a specially crafted file. An authenticated attacker with admin privileges

CVE-2020-9580 [CRITICAL] Magento Security mitigation bypass vulnerability Magento Security mitigation bypass vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.

CVE-2020-9583 [CRITICAL] CWE-78 Magento command injection vulnerability Magento command injection vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.

CVE-2021-36042 [CRITICAL] CWE-20 Magento executes code via the API File Option Upload Extension Magento executes code via the API File Option Upload Extension Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the API File Option Upload Extension. An attacker with Admin privileges can achieve unrestricted file upload which can result in remote code execution.

CVE-2021-21025 [CRITICAL] CWE-91 Magento XPath Injection Magento XPath Injection Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the product layout updates. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

CVE-2020-9582 [CRITICAL] CWE-78 Magento command injection vulnerability Magento command injection vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.

CVE-2020-9585 [CRITICAL] Magento Defense-in-depth security mitigation vulnerability Magento Defense-in-depth security mitigation vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a defense-in-depth security mitigation vulnerability. Successful exploitation could lead to arbitrary code execution.

CVE-2020-24407 [CRITICAL] CWE-434 Magento 2 Community Edition RCE via Unsafe File Upload Magento 2 Community Edition RCE via Unsafe File Upload Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components.

CVE-2021-36033 [CRITICAL] CWE-91 Magento XML Injection vulnerability in the Widgets Module Magento XML Injection vulnerability in the Widgets Module Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.

CVE-2021-36024 [HIGH] CWE-77 Magento is affected by an os command injection via the Data collection endpoint Magento is affected by an os command injection via the Data collection endpoint Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper Neutralization of Special Elements Used In A Command via the Data collection endpoint. An attacker with admin privileges can upload a specially crafted file to achieve remote code executio