Adobe Security Bulletin

Search

Security Updates Available for Magento | APSB21-08

Bulletin ID

Date Published

Priority

ASPB21-08

February 09, 2021      

2

Summary

Magento has released updates for Magento Commerce and Magento Open Source editions. These updates resolve vulnerabilities  rated important and critical. Successful exploitation could lead to arbitrary code execution.    

Affected Versions

Product Version Platform

Magento Commerce 
 2.4.1 and earlier versions  
 All
2.4.0-p1 and earlier versions  
 All
2.3.6 and earlier versions 
 All
Magento Open Source 

 2.4.1 and earlier versions
 All
2.4.0-p1 and earlier versions
 All
2.3.6 and earlier versions 
 All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product Updated Version Platform Priority Rating Release Notes
Magento Commerce 
 2.4.2
 All
 2

 

 

2.4.x release notes

2.3.x release notes
2.4.1-p1
 All
 2
2.3.6-p1 All
 2
Magento Open Source 
 2.4.2
 All 2
2.4.1-p1
 All 2
2.3.6-p1 All
 2

Vulnerability details

Vulnerability Category Vulnerability Impact Severity Pre-authentication? Admin privileges required?

 Magento Bug ID CVE numbers
Insecure Direct Object Reference (IDOR)
 Unauthorized access to restricted resources
 Important 
 No
 No
 PRODSECBUG-2812
 CVE-2021-21012
Insecure Direct Object Reference (IDOR)
 Unauthorized access to restricted resources
 Important 
 No
 No
 PRODSECBUG-2815
 CVE-2021-21013
File Upload Allow List Bypass
 Arbitrary code execution 
 Critical
 No
 Yes
 PRODSECBUG-2820
 CVE-2021-21014
Security bypass
 Arbitrary code execution 
 Critical
 No
 Yes
 PRODSECBUG-2830
 CVE-2021-21015
Security bypass
 Arbitrary code execution 
 Critical
 No
 Yes
 PRODSECBUG-2835
 CVE-2021-21016
Command injection
 Arbitrary code execution 
 Critical
 No
 Yes
 PRODSECBUG-2845
 CVE-2021-21018
XML injection
 Arbitrary code execution 
 Critical
 No
 Yes
 PRODSECBUG-2847
 CVE-2021-21019
Access control bypass
 Unauthorized access to restricted resources
 Important 
 No
 No
 PRODSECBUG-2849
 CVE-2021-21020
Insecure Direct Object Reference (IDOR)
 Unauthorized access to restricted resources
 Important 
 Yes
 No
 PRODSECBUG-2863
 CVE-2021-21022
Cross-site scripting (Stored)
 Arbitrary JavaScript execution in the browser
 Important 
 No
 Yes
 PRODSECBUG-2893
 CVE-2021-21023
Blind SQL injection
 Unauthorized access to restricted resources
 Important 
 No
 Yes
 PRODSECBUG-2896
 CVE-2021-21024
Security bypass
 Arbitrary code execution 
 Critical
 No
 Yes
 PRODSECBUG-2900
 CVE-2021-21025
Improper Authorization
 Unauthorized access to restricted resources
 Important 
 No
 Yes
 PRODSECBUG-2902
 CVE-2021-21026
Cross-site request forgery
 Unauthorized modification of customer metadata
 Moderate
 No
 No
 PRODSECBUG-2903
 CVE-2021-21027
Cross-site scripting (reflected)
 Arbitrary JavaScript execution in the browser
 Important 
 Yes
 No
 PRODSECBUG-2907
 CVE-2021-21029
Cross-site scripting (Stored) Arbitrary JavaScript execution in the browser
 Critical
 Yes
 No
 PRODSECBUG-2912
 CVE-2021-21030
Insufficient Invalidation of User Session
 Unauthorized access to restricted resources
 Important 
 No
 No
 PRODSECBUG-2914
 CVE-2021-21031
Insufficient Invalidation of User Session
 Unauthorized access to restricted resources
 Important 
 No
 No
 MC-36608
 CVE-2021-21032
Note:

Pre-authentication:  The vulnerability is exploitable without credentials.   

Admin privileges required:  The vulnerability is only exploitable by an attacker with administrative privileges.  

Additional technical descriptions of the CVEs referenced in this document will be made available on MITRE and NVD sites.

Updates to dependencies

Dependency

Vulnerability Impact

Affected Versions

Angular

Prototype Pollution

2.4.2, 2.4.1-p1, 2.3.6-p1

Acknowledgments

Adobe would like to thank the following individuals for reporting the relevant issues and for working with Adobe to help protect our customers:   

  • Malerisch (CVE-2021-21012)
  • Niels Pijpers (CVE-2021-21013)
  • Blaklis (CVE-2021-21014, CVE-2021-21018, CVE-2021-21030)
  • Kien Hoang (hoangkien1020) (CVE-2021-21014)
  • Edgar Boda-Majer of Bugscale (CVE-2021-21015, CVE-2021-21016, CVE-2021-21022) 
  • Kien Hoang (CVE-2021-21020)
  • bobbytabl35_ (CVE-2021-21023)
  • Wohlie (CVE-2021-21024)
  • Peter O'Callaghan (CVE-2021-21025)
  • Kiên Ka Lư (CVE-2021-21026)
  • Lachlan Davidson (CVE-2021-21027)
  • Natsasit Jirathammanuwat (Office Thailand) working with SEC Consult Vulnerability Lab (CVE-2021-21029)
  • Anas (CVE-2021-21031)

Revisions

February 09, 2021: Updated acknowledgement details about CVE-2021-21014.

Adobe logo

Sign in to your account

Quick links

View all your plans Manage your plans