Adobe Security Bulletin

Search

Security Updates Available for Magento | APSB21-30

Bulletin ID

Date Published

Priority

ASPB21-30

May 11, 2021      

2

Summary

Successful exploitation could lead to unauthorized access to restricted resources. Magento has released updates for Magento Commerce and Magento Open Source editions. These updates resolve vulnerabilities  rated important and moderate. Successful exploitation could lead to arbitrary code execution.    

Affected Versions

Product Version Platform

Magento Commerce 
 2.4.2 and earlier versions  
 All
2.4.1-p1 and earlier versions  
 All
2.3.6-p1 and earlier versions 
 All
Magento Open Source 

 2.4.2 and earlier versions
 All
2.4.1-p1 and earlier versions
 All
2.3.6-p1 and earlier versions 
 All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product Updated Version Platform Priority Rating Release Notes
Magento Commerce 2.4.2-p1
 All
 2

2.4.x release notes

2.3.x release notes
2.3.7 All
 2
Magento Open Source 
 2.4.2-p1
 All 2
2.3.7 All
 2

Vulnerability details

Vulnerability Category Vulnerability Impact Severity Pre-authentication? Admin privileges required?

 Magento Bug ID CVE numbers
Information Disclosure 
 Disclosure of document root path 
 Moderate
 No
 Yes
 PRODSECBUG-2927
 CVE-2021-28566
Incorrect Authorization 
 Unauthorized modification of customer data  Moderate 
 
 No
 Yes PRODSECBUG-2931
 CVE-2021-28567
Cross-site scripting (DOM-based)
 Arbitrary JavaScript execution in the browser
 Important
 Yes No PRODSECBUG-2918
 CVE-2021-28556
Improper Authorization
 Unauthorized access to restricted resources
 Moderate
 No
 Yes
 PRODSECBUG-2935
 CVE-2021-28563
Violation of Secure Design Principles
 Unauthorized access to restricted resources
 Moderate 
 No
 Yes
 PRODSECBUG-2943
 CVE-2021-28583
Path traversal
 Arbitrary file system write
 Moderate
 No
 Yes
 PRODSECBUG-2957
 CVE-2021-28584
Improper Input Validation
 Security feature bypass
 Moderate
 No
 No MC-39885
 CVE-2021-28585
Note:

Pre-authentication:  The vulnerability is exploitable without credentials.   

Admin privileges required:  The vulnerability is only exploitable by an attacker with administrative privileges.  

Additional technical descriptions of the CVEs referenced in this document will be made available on MITRE and NVD sites.

Acknowledgments

Adobe would like to thank the following individuals for reporting the relevant issues and for working with Adobe to help protect our customers:   

  • Kien Hoang (CVE-2021-28567) 
  • Nuswantara Gading Alfa Putranto - Ethic Ninja (https://ethic.ninja) (CVE-2021-28566)
  • Charybdis (CVE-2021-28556)
  • Rutger Rademaker & Igor Wulff - Youwe (CVE-2021-28583)
  • Matt Cardwell - Cognisys, Inc. (CVE-2021-28584)

 

 Adobe

Get help faster and easier

New user?

Quick links

View all your plans Manage your plans
View quick links
Hide quick links