CVE-2021-36026

Description

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability in the customer address upload feature that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Related CPE's

aadobemagento_open_source********

aadobeadobe_commerce********

aadobeadobe_commerce2.4.2p1******

aadobeadobe_commerce********

aadobemagento_open_source2.4.2p1******

aadobemagento_open_source********

References

https://helpx.adobe.com/security/products/magento/apsb21-64.html

PatchVendor Advisory

CvssV3 impact

Version

3.1

VectorString

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AttackVector

NETWORK

AttackComplexity

LOW

PrivilegesRequired

NONE

UserInteraction

REQUIRED

Scope

CHANGED

ConfidentialityImpact

LOW

IntegrityImpact

LOW

AvailabilityImpact

NONE

BaseScore

6.1

BaseSeverity

MEDIUM

CvssV2 impact

AccessComplexity

MEDIUM

ConfidentialityImpact

NONE

AvailabilityImpact

NONE

IntegrityImpact

PARTIAL

BaseScore

4.300000190734863

VectorString

AV:N/AC:M/Au:N/C:N/I:P/A:N

Version

2.0

AccessVector

NETWORK

Authentication

NONE

Created by Yello
About Severity.io