CVE-2021-36023

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in packagist/magento/community-edition

Identifiers

CVE-2021-36023

Package Slug

packagist/magento/community-edition

Vulnerability

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Description

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.

Affected Versions

All versions before 2.3.7, all versions starting from 2.4.0 before 2.4.2

Solution

Upgrade to versions 2.3.7, 2.4.2 or above.

Last Modified

2023-09-12

source