Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Magento Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-21029)

Description

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a Reflected Cross-site Scripting vulnerability via 'file' parameter. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation.

Remediation

References

Related Vulnerabilities

Oracle JRE CVE-2023-21937 Vulnerability (CVE-2023-21937)

Oracle Database Server Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2007-0275)

WordPress Plugin Spotlight Social Feeds [Block, Shortcode, and Widget] Security Bypass (0.10.1)

WordPress Plugin Blog2Social:Social Media Auto Post & Scheduler Cross-Site Scripting (5.8.1)

WordPress Plugin Beautiful Stat Counter for WordPress-Everest Counter Lite includes Backdoor [Only if downloaded via the vendor website] (2.0.7)

Severity

Medium

Classification

CVE-2021-21029 CWE-707 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities