Magento Magento e-commerce software

Do you want an email whenever new security vulnerabilities are reported in any Magento product?

Products by Magento Sorted by Most Security Vulnerabilities since 2018

Magento193 vulnerabilities

Magento Upward Connector1 vulnerability

Magento Upward Php1 vulnerability

@magento Tweets

Alles was ihr über #ERP Schnittstellenintegration wissen müsst erfahrt ihr morgen im #ECC Webtalk. Jetzt anmelden:… https://t.co/80ZBddA4ww
Wed Apr 21 12:04:03 +0000 2021

Flexibilidad y ambición, la combinación ganadora de #Zadig&Voltaire con Magento La capacidad de reacción y la agil… https://t.co/MtgMEex00p
Wed Apr 21 07:04:59 +0000 2021

10 bonnes raisons pour un vendeur B2B de choisir Magento Commerce Comment Magento Commerce peut donner un nouveau s… https://t.co/Fue0OAKBCq
Wed Apr 21 07:04:59 +0000 2021

Join our popular Magento Community Speaker Workshop on May 20 and 27, 2021, to learn more about owning your experti… https://t.co/xdvAPINRki
Tue Apr 20 12:45:04 +0000 2021

Am 6. Mai ist es soweit! Die nächsten Sessions der #B2Best DIGITAL 2021 stehen an. Freut euch auf praxisnahe Vorträ… https://t.co/XY706SYToK
Tue Apr 20 08:00:27 +0000 2021

By the Year

In 2021 there have been 17 vulnerabilities in Magento with an average score of 6.9 out of ten. Last year Magento had 38 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Magento in 2021 could surpass last years number. Last year, the average CVE base score was greater by 0.51

Year Vulnerabilities Average Score
2021 17 6.86
2020 38 7.37
2019 137 6.50
2018 1 6.50

It may take a day or so for new Magento vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest Magento Security Vulnerabilities

Magento UPWARD-php version 1.1.4 (and earlier) is affected by a Path traversal vulnerability in Magento UPWARD Connector version 1.1.2 (and earlier) due to the upload feature

CVE-2021-21064 4.9 - Medium - February 25, 2021

Magento UPWARD-php version 1.1.4 (and earlier) is affected by a Path traversal vulnerability in Magento UPWARD Connector version 1.1.2 (and earlier) due to the upload feature. An attacker could potentially exploit this vulnerability to upload a malicious YAML file that can contain instructions which allows reading arbitrary files from the remote server. Access to the admin console is required for successful exploitation.

Directory traversal

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass

CVE-2021-21014 9.1 - Critical - February 11, 2021

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

Unrestricted File Upload

Magento versions 2.4.1 (and earlier)

CVE-2021-21022 5.3 - Medium - February 11, 2021

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources.

AuthZ

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to OS command injection

CVE-2021-21018 9.1 - Critical - February 11, 2021

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to OS command injection via the scheduled operation module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

Shell injection

Magento versions 2.4.1 (and earlier)

CVE-2021-21025 9.1 - Critical - February 11, 2021

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the product layout updates. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

aka Blind XPath Injection

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to OS command injection via the WebAPI

CVE-2021-21016 9.1 - Critical - February 11, 2021

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to OS command injection via the WebAPI. Successful exploitation could lead to remote code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

Shell injection

Magento versions 2.4.1 (and earlier)

CVE-2021-21023 4.8 - Medium - February 11, 2021

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting vulnerability in the admin console. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation.

XSS

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a Reflected Cross-site Scripting vulnerability

CVE-2021-21029 4.8 - Medium - February 11, 2021

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a Reflected Cross-site Scripting vulnerability via 'file' parameter. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation.

XSS

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability

CVE-2021-21027 4.3 - Medium - February 11, 2021

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via the GraphQL API. Successful exploitation could lead to unauthorized modification of customer metadata by an unauthenticated attacker. Access to the admin console is not required for successful exploitation.

Session Riding

Magento versions 2.4.1 (and earlier)

CVE-2021-21024 9.1 - Critical - February 11, 2021

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a blind SQL injection vulnerability in the Search module. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required for successful exploitation.

SQL Injection

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions

CVE-2021-21032 5.6 - Medium - February 11, 2021

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation.

Insufficient Session Expiration

Magento versions 2.4.1 (and earlier)

CVE-2021-21026 5.3 - Medium - February 11, 2021

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by an improper authorization vulnerability in the integrations module. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required for successful exploitation.

AuthZ

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the Widgets module

CVE-2021-21019 9.1 - Critical - February 11, 2021

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the Widgets module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

aka Blind XPath Injection

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an OS command injection

CVE-2021-21015 8 - High - February 11, 2021

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an OS command injection via the customer attribute save controller. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

Shell injection

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions

CVE-2021-21031 5.6 - Medium - February 11, 2021

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation.

Insufficient Session Expiration

Magento versions 2.4.1 (and earlier)

CVE-2021-21020 5.3 - Medium - February 11, 2021

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an access control bypass vulnerability in the Login as Customer module. Successful exploitation could lead to unauthorized access to restricted resources.

Authorization

Magento versions 2.4.1 (and earlier)

CVE-2021-21030 8.1 - High - February 11, 2021

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting (XSS) in the customer address upload feature. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Exploitation of this issue requires user interaction.

XSS

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect user permissions vulnerability within the Inventory component

CVE-2020-24403 2.7 - Low - November 09, 2020

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the REST API.

AuthZ

When in maintenance mode, Magento version 2.4.0 and 2.3.4 (and earlier) are affected by an information disclosure vulnerability

CVE-2020-24406 3.7 - Low - November 09, 2020

When in maintenance mode, Magento version 2.4.0 and 2.3.4 (and earlier) are affected by an information disclosure vulnerability that could expose the installation path during build deployments. This information could be helpful to attackers if they are able to identify other exploitable vulnerabilities in the environment.

Directory traversal

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component

CVE-2020-24404 2.7 - Low - November 09, 2020

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization.

AuthZ

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.