CVE-2021-36026

Name of the Vulnerable Software and Affected Versions Magento Commerce versions 2.4.2 and earlier Magento Commerce versions 2.4.2-p1 and earlier Magento Commerce versions 2.3.7 and earlier

Description The issue is related to the lack of protection of the web page structure in Magento Commerce. This could allow a remote attacker to execute arbitrary code in the context of the current user. The vulnerability is a stored cross-site scripting issue in the customer address upload feature, which could be exploited by an attacker to inject malicious scripts into vulnerable form fields. As a result, malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field.

Recommendations For Magento Commerce versions 2.4.2 and earlier, update to a version that includes a fix for the stored cross-site scripting vulnerability in the customer address upload feature. For Magento Commerce versions 2.4.2-p1 and earlier, update to a version that includes a fix for the stored cross-site scripting vulnerability in the customer address upload feature. For Magento Commerce versions 2.3.7 and earlier, update to a version that includes a fix for the stored cross-site scripting vulnerability in the customer address upload feature.