CVE-2021-21029
Magento Commerce Reflected Cross-site Scripting Vulnerability Could Lead To Arbitrary JavaScript Execution
4.8
MEDIUM
CVSS 3.1
EPSS 43.5%
Description
Magento versions 2.4.1 (and earlier), 2.4.0 (and earlier) and 2.3.6 (and earlier) are affected by a Reflected Cross-site Scripting vulnerability via 'file' parameter. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation.
How to fix CVE-2021-21029
To remediate CVE-2021-21029, upgrade the affected package to a fixed version below.
- —upgrade to 2.3.6 or later
- —upgrade to 2.3.6-p1 or later
Is CVE-2021-21029 being exploited?
Moderate — EPSS is 43.5%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (2)
- from 0, < 2.3.6, >= 2.4.0, < 2.4.1
- from 0, < 2.3.6-p1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.8 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |