CVE-2021-21029
Magento Commerce Reflected Cross-site Scripting Vulnerability Could Lead To Arbitrary JavaScript Execution
In short
A flaw in Magento allows an attacker with admin access to inject malicious code into a URL parameter, which runs in a visitor's browser when they click the link. This can steal sensitive information or perform unwanted actions.
Technical detail
Reflected XSS vulnerability in the 'file' parameter affecting Magento 2.4.1, 2.4.0-p1, and 2.3.6 or earlier. Exploitation requires admin-level access to craft the malicious payload; the attack vector is a crafted URL that executes arbitrary JavaScript in the victim's browser context.
Summary generated and translated by AI from the official description.
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a Reflected Cross-site Scripting vulnerability via 'file' parameter. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Affected products
Adobe · Magento CommerceWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →