CVE-2021-21029

Name of the Vulnerable Software and Affected Versions Magento versions 2.4.1 and earlier Magento versions 2.4.0-p1 and earlier Magento versions 2.3.6 and earlier

Description The issue is related to a Reflected Cross-site Scripting vulnerability via the file parameter. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation. The vulnerability is associated with the lack of protection of the web page structure, which could allow a remote attacker to execute arbitrary code in the context of the current user.

Recommendations For Magento versions 2.4.1 and earlier, update to a version that includes a fix for this issue. For Magento versions 2.4.0-p1 and earlier, update to a version that includes a fix for this issue. For Magento versions 2.3.6 and earlier, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to the admin console to minimize the risk of exploitation. Avoid using the file parameter in affected API endpoints until the issue is resolved.