Security Vulnerabilities - CVEs Published In September 2021
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation.
CVSS Score
8.3
EPSS Score
0.009
Published
2021-09-01
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
CVSS Score
9.1
EPSS Score
0.113
Published
2021-09-01
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to achieve remote code execution.
CVSS Score
9.1
EPSS Score
0.055
Published
2021-09-01
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges could make a crafted request to the Adobe Stock API to achieve remote code execution.
CVSS Score
9.1
EPSS Score
0.073
Published
2021-09-01
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure.
CVSS Score
6.5
EPSS Score
0.009
Published
2021-09-01
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the Multishipping Module. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure.
CVSS Score
6.5
EPSS Score
0.015
Published
2021-09-01
This affects all versions of package Proto. It is possible to inject pollute the object property of an application using Proto by leveraging the merge function.
CVSS Score
5.6
EPSS Score
0.003
Published
2021-09-01
This affects all versions of package elFinder.NetCore. The ExtractAsync function within the FileSystem is vulnerable to arbitrary extraction due to insufficient validation.
CVSS Score
8.6
EPSS Score
0.006
Published
2021-09-01
This affects all versions of package elFinder.NetCore. The Path.Combine(...) method is used to create an absolute file path. Due to missing sanitation of the user input and a missing check of the generated path its possible to escape the Files directory via path traversal
CVSS Score
8.6
EPSS Score
0.008
Published
2021-09-01
Insecure deserialization leading to Remote Code Execution was detected in the Orion Platform version 2020.2.5. Authentication is required to exploit this vulnerability.
CVSS Score
8.9
EPSS Score
0.828
Published
2021-09-01