Description
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the Widgets module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.
Remediation
References
Related Vulnerabilities
Oracle Database Server CVE-2011-0848 Vulnerability (CVE-2011-0848)
WordPress Plugin Print My Blog-Print, PDF, & eBook Converter Cross-Site Request Forgery (3.4.1)
WordPress Plugin Quick Chat Cross-Site Scripting (4.14)
WordPress Plugin PowerPress Podcasting by Blubrry Cross-Site Scripting (6.0.4)
Jenkins Permissions, Privileges, and Access Controls Vulnerability (CVE-2015-1810)