CVE-2021-36022

Name of the Vulnerable Software and Affected Versions Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) Magento Commerce version 2.3.7 (and earlier)

Description The issue is related to an XML Injection vulnerability in the Widgets Update Layout of Magento Commerce. This vulnerability can be exploited by an attacker with admin privileges to trigger a specially crafted script, potentially achieving remote code execution. The vulnerability is also related to the lack of measures to neutralize special elements used in the operating system command.

Recommendations For Magento Commerce versions 2.4.2 (and earlier) and 2.4.2-p1 (and earlier), update to a version that fixes the XML Injection vulnerability in the Widgets Update Layout. For Magento Commerce version 2.3.7 (and earlier), update to a version that fixes the XML Injection vulnerability in the Widgets Update Layout. As a temporary workaround, consider restricting access to the Widgets Update Layout to minimize the risk of exploitation.