Description

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the product layout updates. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

Remediation

References

CVE-2021-21025

Related Vulnerabilities

MySQL CVE-2013-0384 Vulnerability (CVE-2013-0384)

Plone CMS Improper Input Validation Vulnerability (CVE-2011-4462)

MediaWiki Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2013-1951)

PHP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2010-1860)

Liferay Portal URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2023-5190)

Severity

Critical

Classification

CVE-2021-21025 CWE-91 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities