PT-2021-2328 · Adobe · Magento
Published
2021-02-09
·
Updated
2024-03-06
·
CVE-2021-21030
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Magento versions 2.4.1 and earlier
Magento versions 2.4.0-p1 and earlier
Magento versions 2.3.6 and earlier
Description
The issue is related to a stored cross-site scripting (XSS) in the customer address upload feature. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Exploitation of this issue requires user interaction. The vulnerability is also related to the lack of protection of the web page structure, which could allow a remote attacker to execute arbitrary code in the context of the current user.
Recommendations
For Magento versions 2.4.1 and earlier, update to a version that includes a fix for this issue.
For Magento versions 2.4.0-p1 and earlier, update to a version that includes a fix for this issue.
For Magento versions 2.3.6 and earlier, update to a version that includes a fix for this issue.
As a temporary workaround, consider disabling the customer address upload feature until a patch is available.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Magento