Magento up to 2.3.6/2.4.0-p1/2.4.1 Product Layout Update xml injection

EntryeditHistoryDiffjsonxmlCTI

A vulnerability was found in Magento up to 2.3.6/2.4.0-p1/2.4.1 and classified as critical. This issue affects an unknown code of the component Product Layout Update Handler. There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

User

Field

Commit Conf

Approve Conf

IDCommitedUserFieldChangeRemarksModeratedReasonC
1098225902/28/2021VulD...cvss2_nvd_basescore6.5nist.gov02/28/2021accepted90
1098225802/28/2021VulD...cve_cnaAdobe Systems Incorporatednvd.nist.gov02/28/2021accepted70
1098225702/28/2021VulD...cvss2_nvd_aiPnvd.nist.gov02/28/2021accepted70
1098225602/28/2021VulD...cvss2_nvd_iiPnvd.nist.gov02/28/2021accepted70
1098225502/28/2021VulD...cvss2_nvd_ciPnvd.nist.gov02/28/2021accepted70
1098225402/28/2021VulD...cvss2_nvd_auSnvd.nist.gov02/28/2021accepted70
1098225302/28/2021VulD...cvss2_nvd_acLnvd.nist.gov02/28/2021accepted70
1098225202/28/2021VulD...cvss2_nvd_avNnvd.nist.gov02/28/2021accepted70
1098225102/28/2021VulD...cve_nvd_summaryMagento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the product layout updates. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.cve.mitre.org02/28/2021accepted70
1098225002/28/2021VulD...cve_assigned1608246000cve.mitre.org02/28/2021accepted70
1091822602/12/2021VulD...price_0day$0-$5ksee documentation02/12/2021accepted90
1091822502/12/2021VulD...cvss3_meta_tempscore4.7see documentation02/12/2021accepted90
1091822402/12/2021VulD...cvss3_meta_basescore4.7see documentation02/12/2021accepted90
1091822302/12/2021VulD...cvss3_vuldb_tempscore4.702/12/2021accepted90
1091822202/12/2021VulD...cvss3_vuldb_basescore4.702/12/2021accepted90
1091822102/12/2021VulD...cvss2_vuldb_tempscore5.802/12/2021accepted90
1091822002/12/2021VulD...cvss2_vuldb_basescore5.802/12/2021accepted90
1091821902/12/2021VulD...cvss3_vuldb_rcXderived from historical data02/12/2021accepted80
1091821802/12/2021VulD...cvss3_vuldb_rlXderived from historical data02/12/2021accepted80
1091821702/12/2021VulD...cvss3_vuldb_eXderived from historical data02/12/2021accepted80

Might our Artificial Intelligence support you?

Check our Alexa App!