Magento up to 2.3.6/2.4.0-p1/2.4.1 Product Layout Update xml injection

EntryeditHistoryDiffjsonxmlCTI

A vulnerability was found in Magento up to 2.3.6/2.4.0-p1/2.4.1 and classified as critical. This issue affects an unknown code of the component Product Layout Update Handler. There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Field02/12/2021 11:40 AM02/28/2021 03:14 PM02/28/2021 03:20 PM
nameMagentoMagentoMagento
version<=2.3.6/2.4.0-p1/2.4.1<=2.3.6/2.4.0-p1/2.4.1<=2.3.6/2.4.0-p1/2.4.1
componentProduct Layout Update HandlerProduct Layout Update HandlerProduct Layout Update Handler
cwe91 (privilege escalation)91 (privilege escalation)91 (privilege escalation)
risk222
cvss3_vuldb_avNNN
cvss3_vuldb_acLLL
cvss3_vuldb_prHHH
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cLLL
cvss3_vuldb_iLLL
cvss3_vuldb_aLLL
urlhttps://helpx.adobe.com/security/products/magento/apsb21-08.htmlhttps://helpx.adobe.com/security/products/magento/apsb21-08.htmlhttps://helpx.adobe.com/security/products/magento/apsb21-08.html
cveCVE-2021-21025CVE-2021-21025CVE-2021-21025
date1613084400 (02/12/2021)1613084400 (02/12/2021)1613084400 (02/12/2021)
cvss2_vuldb_avNNN
cvss2_vuldb_acLLL
cvss2_vuldb_auMMM
cvss2_vuldb_ciPPP
cvss2_vuldb_iiPPP
cvss2_vuldb_aiPPP
cvss2_vuldb_eNDNDND
cvss2_vuldb_rlNDNDND
cvss2_vuldb_rcNDNDND
cvss3_vuldb_eXXX
cvss3_vuldb_rlXXX
cvss3_vuldb_rcXXX
cvss2_vuldb_basescore5.85.85.8
cvss2_vuldb_tempscore5.85.85.8
cvss3_vuldb_basescore4.74.74.7
cvss3_vuldb_tempscore4.74.74.7
cvss3_meta_basescore4.74.74.7
cvss3_meta_tempscore4.74.74.7
price_0day$0-$5k$0-$5k$0-$5k
cve_assigned16082460001608246000
cve_nvd_summaryMagento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the product layout updates. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the product layout updates. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.
cvss2_nvd_avN
cvss2_nvd_acL
cvss2_nvd_auS
cvss2_nvd_ciP
cvss2_nvd_iiP
cvss2_nvd_aiP
cve_cnaAdobe Systems Incorporated
cvss2_nvd_basescore6.5

Interested in the pricing of exploits?

See the underground prices here!