CVE-2021-36023
Magento Commerce Widgets Update Layout XML Injection Vulnerability Could Lead To Remote Code Execution
9.1
CRITICAL
CVSS 3.1
EPSS 16.3%
Description
Magento Commerce versions 2.4.2 (and earlier), 2.4.2 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
How to fix CVE-2021-36023
To remediate CVE-2021-36023, upgrade the affected package to a fixed version below.
- —upgrade to 2.3.7 or later
- —upgrade to 2.3.7-p1 or later
- —no fix listed
Is CVE-2021-36023 being exploited?
Moderate — EPSS is 16.3%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (3)
- from 0, < 2.3.7, >= 2.4.0, < 2.4.2
- from 0, < 2.3.7-p1
- from 0, <= 2.0.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |