SB2021021002 - Multiple vulnerabilities in Magento
Published: February 10, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 16 secuirty vulnerabilities.
1) Arbitrary file upload (CVE-ID: CVE-2021-21014)
The vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload. A remote privileged user can upload a malicious file and execute it on the server.
2) Security restrictions bypass (CVE-ID: CVE-2021-21025)
The vulnerability allows a remote administrator to execute arbitrary code on the system.
The vulnerability exists due to application does not properly impose security restrictions. A remote authenticated administrator can execute arbitrary code on the server.
3) Insufficient Session Expiration (CVE-ID: CVE-2021-21032)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient session expiration issue. A remote non-authenticated attacker can obtain or guess session token and gain unauthorized access to session that belongs to another user.
4) Insufficient Session Expiration (CVE-ID: CVE-2021-21031)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient session expiration issue. A remote non-authenticated attacker can obtain or guess session token and gain unauthorized access to session that belongs to another user.
5) Stored cross-site scripting (CVE-ID: CVE-2021-21030)
The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
6) Cross-site scripting (CVE-ID: CVE-2021-21029)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
7) Cross-site request forgery (CVE-ID: CVE-2021-21027)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as change metadata of website customers.
8) Improper Authorization (CVE-ID: CVE-2021-21026)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote administrator can bypass implemented security restrictions and gain unauthorized access to the application.
9) SQL injection (CVE-ID: CVE-2021-21024)
The vulnerability allows a remote administrator to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote authenticated administrator can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
10) Security restrictions bypass (CVE-ID: CVE-2021-21015)
The vulnerability allows a remote administrator to execute arbitrary code on the system.
The vulnerability exists due to application does not properly impose security restrictions. A remote authenticated administrator can execute arbitrary code on the server.
11) Stored cross-site scripting (CVE-ID: CVE-2021-21023)
The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote administrator can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
12) Authorization bypass through user-controlled key (CVE-ID: CVE-2021-21022)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper access restrictions. A remote non-authenticated attacker can bypass implemented security restrictions and gain unauthorized access to the application.
13) Improper access control (CVE-ID: CVE-2021-21020)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and gain unauthorized access to the application.
14) XML injection (CVE-ID: CVE-2021-21019)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation when processing XML data. A remote authenticated administrator can pass specially crafted XML data to the application and perform arbitrary actions on the system.
15) Command Injection (CVE-ID: CVE-2021-21018)
The vulnerability allows a remote user to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation. A remote authenticated administrator can send a specially crafted HTTP request and execute arbitrary commands on the system.
16) Security restrictions bypass (CVE-ID: CVE-2021-21016)
The vulnerability allows a remote administrator to execute arbitrary code on the system.
The vulnerability exists due to application does not properly impose security restrictions. A remote authenticated administrator can execute arbitrary code on the server.
Remediation
Install update from vendor's website.