CVE-2021-28556

Name of the Vulnerable Software and Affected Versions Magento versions 2.4.2 and earlier Magento versions 2.4.1-p1 and earlier Magento versions 2.3.6-p1 and earlier

Description The issue is related to a DOM-based Cross-Site Scripting vulnerability on mage-messages cookies. Successful exploitation could lead to arbitrary JavaScript execution by an unauthenticated attacker. User interaction is required for successful exploitation. The vulnerability is associated with the lack of protection of the web page structure, which can be exploited by a remote attacker using a specially crafted link to execute arbitrary JavaScript code in the user's browser.

Recommendations For Magento versions 2.4.2 and earlier, update to a version that includes the fix for this issue. For Magento versions 2.4.1-p1 and earlier, update to a version that includes the fix for this issue. For Magento versions 2.3.6-p1 and earlier, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the mage-messages cookies to minimize the risk of exploitation.