CVE-2021-36026: Magento Commerce Stored Cross-site Scripting Vulnerability
First published: Tue Aug 10 2021(Updated: )
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability in the customer address upload feature that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Credit: psirt@adobe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Adobe Adobe Commerce | >=2.3.0<=2.3.7 | |
| Adobe Adobe Commerce | >=2.4.0<=2.4.2 | |
| Adobe Adobe Commerce | =2.4.2-p1 | |
| Adobe Magento Open Source | >=2.3.0<=2.3.7 | |
| Adobe Magento Open Source | >=2.4.0<=2.4.2 | |
| Adobe Magento Open Source | =2.4.2-p1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2021-36026?
CVE-2021-36026 is a vulnerability in Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier) that allows an attacker to inject malicious scripts into vulnerable form fields using a stored cross-site scripting (XSS) attack.
How does CVE-2021-36026 affect Adobe Adobe Commerce?
Adobe Adobe Commerce versions between 2.3.0 and 2.3.7 are affected by CVE-2021-36026.
How does CVE-2021-36026 affect Adobe Magento Open Source?
Adobe Magento Open Source versions between 2.3.0 and 2.3.7 are affected by CVE-2021-36026.
How do I fix CVE-2021-36026?
To fix CVE-2021-36026, update Magento Commerce to version 2.4.2-p1 or later if you are using version 2.4.2, or update to version 2.3.8 or later if you are using version 2.3.x.
What is the severity of CVE-2021-36026?
CVE-2021-36026 has a severity rating of medium (6.1) according to the Common Vulnerability Scoring System (CVSS).
- collector/nvd-index
- agent/softwarecombine
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/last-modified-date
- agent/remedy
- agent/weakness
- agent/references
- agent/severity
- agent/title
- agent/tags
- agent/first-publish-date
- agent/description
- agent/event
- vendor/adobe
- canonical/adobe adobe commerce
- version/adobe adobe commerce/2.3.0
- version/adobe adobe commerce/2.3.7
- version/adobe adobe commerce/2.4.0
- version/adobe adobe commerce/2.4.2
- version/adobe adobe commerce/2.4.2-p1
- canonical/adobe magento open source
- version/adobe magento open source/2.3.0
- version/adobe magento open source/2.3.7
- version/adobe magento open source/2.4.0
- version/adobe magento open source/2.4.2
- version/adobe magento open source/2.4.2-p1