==================================================================== CERT-Renater Note d'Information No. 2021/VULN088 _____________________________________________________________________ DATE : 10/02/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems Adobe Magento Commerce, Adobe Magento Open Source versions prior to 2.4.2, 2.4.1-p1, 2.3.6-p1. ===================================================================== https://helpx.adobe.com/security/products/magento/apsb21-08.html _____________________________________________________________________ Security Updates Available for Magento | APSB21-08 Bulletin ID Date Published Priority ASPB21-08 February 09, 2021 2 Summary Magento has released updates for Magento Commerce and Magento Open Source editions. These updates resolve vulnerabilities rated important and critical. Successful exploitation could lead to arbitrary code execution. Affected Versions Product Version Platform Magento Commerce 2.4.1 and earlier versions All 2.4.0-p1 and earlier versions All 2.3.6 and earlier versions All Magento Open Source 2.4.1 and earlier versions All 2.4.0-p1 and earlier versions All 2.3.6 and earlier versions All Solution Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version. Product Updated Version Platform Priority Rating Release Notes Magento Commerce 2.4.2 All 2 2.4.x release notes 2.3.x release notes 2.4.1-p1 All 2 2.3.6-p1 All 2 Magento Open Source 2.4.2 All 2 2.4.1-p1 All 2 2.3.6-p1 All 2 Vulnerability details Vulnerability Category Vulnerability Impact Severity Pre-authentication? Admin privileges required? Magento Bug ID CVE numbers Insecure Direct Object Reference (IDOR) Unauthorized access to restricted resources Important No No PRODSECBUG-2812 CVE-2021-21012 Insecure Direct Object Reference (IDOR) Unauthorized access to restricted resources Important No No PRODSECBUG-2815 CVE-2021-21013 File Upload Allow List Bypass Arbitrary code execution Critical No Yes PRODSECBUG-2820 CVE-2021-21014 Security bypass Arbitrary code execution Critical No Yes PRODSECBUG-2830 CVE-2021-21015 Security bypass Arbitrary code execution Critical No Yes PRODSECBUG-2835 CVE-2021-21016 Command injection Arbitrary code execution Critical No Yes PRODSECBUG-2845 CVE-2021-21018 XML injection Arbitrary code execution Critical No Yes PRODSECBUG-2847 CVE-2021-21019 Access control bypass Unauthorized access to restricted resources Important No No PRODSECBUG-2849 CVE-2021-21020 Insecure Direct Object Reference (IDOR) Unauthorized access to restricted resources Important Yes No PRODSECBUG-2863 CVE-2021-21022 Cross-site scripting (Stored) Arbitrary JavaScript execution in the browser Important No Yes PRODSECBUG-2893 CVE-2021-21023 Blind SQL injection Unauthorized access to restricted resources Important No Yes PRODSECBUG-2896 CVE-2021-21024 Security bypass Arbitrary code execution Critical No Yes PRODSECBUG-2900 CVE-2021-21025 Improper Authorization Unauthorized access to restricted resources Important No Yes PRODSECBUG-2902 CVE-2021-21026 Cross-site request forgery Unauthorized modification of customer metadata Moderate No No PRODSECBUG-2903 CVE-2021-21027 Cross-site scripting (reflected) Arbitrary JavaScript execution in the browser Important Yes No PRODSECBUG-2907 CVE-2021-21029 Cross-site scripting (Stored) Arbitrary JavaScript execution in the browser Critical Yes No PRODSECBUG-2912 CVE-2021-21030 Insufficient Invalidation of User Session Unauthorized access to restricted resources Important No No PRODSECBUG-2914 CVE-2021-21031 Insufficient Invalidation of User Session Unauthorized access to restricted resources Important No No MC-36608 CVE-2021-21032 Note: Pre-authentication: The vulnerability is exploitable without credentials. Admin privileges required: The vulnerability is only exploitable by an attacker with administrative privileges. Additional technical descriptions of the CVEs referenced in this document will be made available on MITRE and NVD sites. Updates to dependencies Dependency Vulnerability Impact Affected Versions Angular Prototype Pollution 2.4.2, 2.4.1-p1, 2.3.6-p1 Acknowledgments Adobe would like to thank the following individuals for reporting the relevant issues and for working with Adobe to help protect our customers:    Malerisch (CVE-2021-21012) Niels Pijpers (CVE-2021-21013) Blaklis (CVE-2021-21014, CVE-2021-21018, CVE-2021-21030) Edgar Boda-Majer of Bugscale (CVE-2021-21015, CVE-2021-21016, CVE-2021-21022) Kien Hoang (CVE-2021-21020) bobbytabl35_ (CVE-2021-21023) Wohlie (CVE-2021-21024) Peter O'Callaghan (CVE-2021-21025) Kiên Ka Lư (CVE-2021-21026) Lachlan Davidson (CVE-2021-21027) Natsasit Jirathammanuwat (Office Thailand) working with SEC Consult Vulnerability Lab (CVE-2021-21029) Anas (CVE-2021-21031) ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================