First published: Mon Jun 28 2021(Updated: )
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a DOM-based Cross-Site Scripting vulnerability on mage-messages cookies. Successful exploitation could lead to arbitrary JavaScript execution by an unauthenticated attacker. User interaction is required for successful exploitation.
Credit: psirt@adobe.com psirt@adobe.com
Affected Software | Affected Version | How to fix |
---|---|---|
Magento Magento | <2.3.7 | |
Magento Magento | <2.3.7 | |
Magento Magento | >=2.4.0<=2.4.2 | |
Magento Magento | >=2.4.0<=2.4.2 | |
composer/magento/community-edition | <2.3.7 | 2.3.7 |
composer/magento/community-edition | >=2.4.0<2.4.2-p1 | 2.4.2-p1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2021-28556.
The severity of CVE-2021-28556 is medium with a CVSS score of 4.8.
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier), and 2.3.6-p1 (and earlier) are affected by CVE-2021-28556.
Successful exploitation of CVE-2021-28556 could lead to arbitrary JavaScript execution by an unauthenticated attacker.
To fix CVE-2021-28556, it is recommended to upgrade to the latest version of Magento. Patch updates are available for affected versions.