CVE-2021-21032
First published: Thu Feb 11 2021(Updated: )
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation.
Credit: psirt@adobe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Magento Magento | <2.3.6 | |
| Magento Magento | <2.3.6 | |
| Magento Magento | =2.3.6 | |
| Magento Magento | =2.3.6 | |
| Magento Magento | =2.4.0 | |
| Magento Magento | =2.4.0 | |
| Magento Magento | =2.4.0-p1 | |
| Magento Magento | =2.4.0-p1 | |
| Magento Magento | =2.4.1 | |
| Magento Magento | =2.4.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2021-21032?
CVE-2021-21032 is a vulnerability in Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier), and 2.3.6 (and earlier) that allows unauthorized access to restricted resources due to inadequate session invalidation.
How severe is CVE-2021-21032?
CVE-2021-21032 has a severity level of high with a score of 5.6.
How can CVE-2021-21032 be exploited?
CVE-2021-21032 can be exploited by an attacker to gain unauthorized access to restricted resources without requiring access to the admin console.
Which versions of Magento are affected by CVE-2021-21032?
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier), and 2.3.6 (and earlier) are affected by CVE-2021-21032.
Is there a fix for CVE-2021-21032?
Yes, Magento has released security patches to fix CVE-2021-21032. It is recommended to update to the latest patched version of Magento.
- collector/nvd-index
- vendor/magento
- canonical/magento magento
- version/magento magento/2.3.6
- version/magento magento/2.4.0
- version/magento magento/2.4.0-p1
- version/magento magento/2.4.1