CVE-2021-36020 vulnerability in Adobe Products
Published on September 1, 2021
Magento Commerce XML Injection Vulnerability In The 'City' Field Could Lead To Remote Code Execution
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the 'City' field. An unauthenticated attacker can trigger a specially crafted script to achieve remote code execution.
Vulnerability Analysis
CVE-2021-36020 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
What is an aka Blind XPath Injection Vulnerability?
The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. Within XML, special elements could include reserved words or characters such as "<", ">", """, and "&", which could then be used to add new data or modify XML syntax.
CVE-2021-36020 has been classified to as an aka Blind XPath Injection vulnerability or weakness.
Products Associated with CVE-2021-36020
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-36020 are published in these products:
Affected Versions
Adobe Magento Commerce:- Version unspecified, <= 2.4.2 is affected.
- Version unspecified, <= 2.4.2-p1 is affected.
- Version unspecified, <= 2.3.7 is affected.
- Version unspecified, <= None is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.