Security News > 2021 > August > Magento Update Released to Fix Critical Flaws Affecting E-Commerce Sites
Adobe on Tuesday shipped security updates to remediate multiple critical vulnerabilities in its Magento e-commerce platform that could be abused by an attacker to execute arbitrary code and take control of a vulnerable system.
The issues affect 2.3.7, 2.4.2-p1, 2.4.2, and earlier versions of Magento Commerce, and 2.3.7, 2.4.2-p1, and all prior versions of Magento Open Source edition.
CVE-2021-36036 - Arbitrary code execution due to improper access control.
CVE-2021-36020 - Arbitrary code execution due to XML injection.
CVE-2021-36043 - Arbitrary code execution due to server-side request forgery.
Successful exploitation of the aforementioned pre-authentication vulnerabilities could be abused by an adversary to escalate privileges and run malicious code, thus enabling the threat actor to seize control of a Magento site and its server.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-06 | CVE-2021-36036 | Improper Access Control vulnerability in Magento Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. | 7.2 |
| 2021-09-01 | CVE-2021-36043 | Server-Side Request Forgery (SSRF) vulnerability in Adobe Commerce and Magento Open Source Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a blind SSRF vulnerability in the bundled dotmailer extension. | 6.6 |
| 2021-09-01 | CVE-2021-36020 | XML Injection (aka Blind XPath Injection) vulnerability in Adobe Commerce and Magento Open Source Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the 'City' field. | 9.8 |