Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the product layout updates. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.
References
Link | Resource |
---|---|
https://helpx.adobe.com/security/products/magento/apsb21-08.html | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
Information
Published : 2021-02-11 12:15
Updated : 2021-02-16 07:24
NVD link : CVE-2021-21025
Mitre link : CVE-2021-21025
JSON object : View
CWE
CWE-91
XML Injection (aka Blind XPath Injection)
Products Affected
magento
- magento