Vulnerabilities > Magento > Magento > 2.3.2
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-09-08 | CVE-2021-28567 | Incorrect Authorization vulnerability in Magento Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Improper Authorization vulnerability in the customers module. | 6.5 |
2021-06-28 | CVE-2021-28556 | Cross-site Scripting vulnerability in Magento Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a DOM-based Cross-Site Scripting vulnerability on mage-messages cookies. | 3.5 |
2021-06-28 | CVE-2021-28563 | Unspecified vulnerability in Magento Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper Authorization vulnerability via the 'Create Customer' endpoint. | 6.4 |
2021-06-28 | CVE-2021-28583 | Violation of Secure Design Principles vulnerability in Magento Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Violation of Secure Design Principles vulnerability in RMA PDF filename formats. | 4.3 |
2021-06-28 | CVE-2021-28584 | Path Traversal vulnerability in Magento Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Path Traversal vulnerability when creating a store with child theme.Successful exploitation could lead to arbitrary file system write by an authenticated attacker. | 6.5 |
2021-06-28 | CVE-2021-28585 | Improper Input Validation vulnerability in Magento Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper input validation vulnerability in the New customer WebAPI.Successful exploitation could allow an attacker to send unsolicited spam e-mails. | 5.0 |
2021-02-11 | CVE-2021-21029 | Cross-site Scripting vulnerability in Magento Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a Reflected Cross-site Scripting vulnerability via 'file' parameter. | 3.5 |
2021-02-11 | CVE-2021-21022 | Authorization Bypass Through User-Controlled Key vulnerability in Magento Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. | 5.3 |
2021-02-11 | CVE-2021-21019 | XML Injection (aka Blind XPath Injection) vulnerability in Magento Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the Widgets module. | 9.1 |
2020-11-09 | CVE-2020-24407 | Unrestricted Upload of File with Dangerous Type vulnerability in Magento Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. | 9.0 |