CVE-2021-36023
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
59.9%
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| magento | magento | * | cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:* |
| magento | magento | * | cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:* |
| magento | magento | 2.3.7 | cpe:2.3:a:magento:magento:2.3.7:-:*:*:commerce:*:*:* |
| magento | magento | 2.3.7 | cpe:2.3:a:magento:magento:2.3.7:-:*:*:open_source:*:*:* |
| magento | magento | 2.4.2 | cpe:2.3:a:magento:magento:2.4.2:-:*:*:commerce:*:*:* |
| magento | magento | 2.4.2 | cpe:2.3:a:magento:magento:2.4.2:-:*:*:open_source:*:*:* |
| magento | magento | 2.4.2 | cpe:2.3:a:magento:magento:2.4.2:p1:*:*:commerce:*:*:* |
| magento | magento | 2.4.2 | cpe:2.3:a:magento:magento:2.4.2:p1:*:*:open_source:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
59.9%