Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Magento Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-21029)

Description

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a Reflected Cross-site Scripting vulnerability via 'file' parameter. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation.

Remediation

References

Related Vulnerabilities

WordPress Plugin Revive Old Post-Auto Post to Social Media 'cat' Parameter SQL Injection (3.2.5)

Magento Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-7880)

WordPress Plugin Timetable and Event Schedule by MotoPress Information Disclosure (2.3.19)

WordPress Plugin Plug your WooCommerce into the largest catalog of customized print products from Helloprint Cross-Site Scripting (1.4.6)

Plone CMS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2016-7136)

Severity

Medium

Classification

CVE-2021-21029 CWE-707 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities