Magento Project-Community-Edition vulnerabilities

CVE-2021-36037 [MEDIUM] CWE-285 Magento is affected by an improper authorization vulnerability Magento is affected by an improper authorization vulnerability Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper authorization vulnerability. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure.

CVE-2021-28584 [MEDIUM] CWE-22 Magento Path Traversal vulnerability Magento Path Traversal vulnerability Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Path Traversal vulnerability when creating a store with child theme.Successful exploitation could lead to arbitrary file system write by an authenticated attacker. Access to the admin console is required for successful exploitation.

CVE-2021-39864 [MEDIUM] CWE-352 Magento Open Source allows Cross-Site Request Forgery (CSRF) Magento Open Source allows Cross-Site Request Forgery (CSRF) Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized addition to a customer's cart by an unauthenticated attacker. Access to the admin console is not required f

CVE-2021-21022 [MEDIUM] CWE-285 Magento Insecure Direct Object Reference (IDOR) in the product module Magento Insecure Direct Object Reference (IDOR) in the product module Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources.

CVE-2021-21026 [MEDIUM] CWE-285 Magento improper authorization vulnerability in the integrations module Magento improper authorization vulnerability in the integrations module Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by an improper authorization vulnerability in the integrations module. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required

CVE-2021-36027 [MEDIUM] CWE-79 Magento stored cross-site scripting vulnerability Magento stored cross-site scripting vulnerability Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

CVE-2021-36038 [MEDIUM] CWE-20 Magento discloses sensitive information via the Multishipping Module Magento discloses sensitive information via the Multishipping Module Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the Multishipping Module. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure.

CVE-2021-21027 [MEDIUM] CWE-352 Magento cross-site request forgery (CSRF) vulnerability via the GraphQL API Magento cross-site request forgery (CSRF) vulnerability via the GraphQL API Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via the GraphQL API. Successful exploitation could lead to unauthorized modification of customer metadata by an unauthenticated attacker. Access to the admin consol

CVE-2021-28556 [MEDIUM] CWE-79 Magento DOM-based Cross-Site Scripting vulnerability on mage-messages cookies Magento DOM-based Cross-Site Scripting vulnerability on mage-messages cookies Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a DOM-based Cross-Site Scripting vulnerability on mage-messages cookies. Successful exploitation could lead to arbitrary JavaScript execution by an unauthenticated attacker. User interaction is required for s

CVE-2021-21031 [MEDIUM] CWE-613 Magento Insufficient Session Expiration Magento Insufficient Session Expiration Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation.

CVE-2021-28567 [MEDIUM] CWE-285 Magento Improper Authorization vulnerability in the customers module Magento Improper Authorization vulnerability in the customers module Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Improper Authorization vulnerability in the customers module. Successful exploitation could allow a low-privileged user to modify customer data. Access to the admin console is required for successful exploitation.

CVE-2021-21020 [MEDIUM] CWE-284 Magento Improper Access Control Magento Improper Access Control Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an access control bypass vulnerability in the Login as Customer module. Successful exploitation could lead to unauthorized access to restricted resources.

CVE-2020-9577 [MEDIUM] CWE-79 Magento stored cross-site scripting vulnerability Magento stored cross-site scripting vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure .

CVE-2021-36012 [MEDIUM] Magento affected by a business logic error in the placeOrder graphql mutation Magento affected by a business logic error in the placeOrder graphql mutation Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a business logic error in the placeOrder graphql mutation. An authenticated attacker can leverage this vulnerability to altar the price of an item.

CVE-2020-9581 [MEDIUM] CWE-79 Magento stored cross-site scripting vulnerability Magento stored cross-site scripting vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.

CVE-2021-36026 [MEDIUM] CWE-79 Magento stored cross-site scripting vulnerability in the customer address upload feature Magento stored cross-site scripting vulnerability in the customer address upload feature Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability in the customer address upload feature that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Mali

CVE-2021-21032 [MEDIUM] CWE-613 Magento Insufficient Session Expiration Magento Insufficient Session Expiration Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation.

CVE-2021-28585 [MEDIUM] CWE-20 Magento Improper input validation vulnerability Magento Improper input validation vulnerability Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper input validation vulnerability in the New customer WebAPI.Successful exploitation could allow an attacker to send unsolicited spam e-mails.

CVE-2020-24402 [MEDIUM] CWE-276 Magento incorrect permissions vulnerability in the Integrations component Magento incorrect permissions vulnerability in the Integrations component Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorization.

CVE-2020-24403 [LOW] CWE-285 Magento incorrect user permissions vulnerability within the Inventory component Magento incorrect user permissions vulnerability within the Inventory component Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the REST API.