CVE-2021-21030 - Vulnerability Details

Vendors	Products
Magento	Magento

Link	Providers
https://helpx.adobe.com/security/products/magento/apsb21-08.html

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "Magento Commerce", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "2.4.1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "2.4.0-p1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "2.3.6", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "None", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2021-02-09T00:00:00", "descriptions": [{"lang": "en", "value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting (XSS) in the customer address upload feature. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Exploitation of this issue requires user interaction."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Cross-site Scripting (Stored XSS) (CWE-79)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-02-11T19:29:31", "orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Magento Commerce Stored Cross-site Scripting Could Lead To Arbitrary Javascript Execution", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@adobe.com", "DATE_PUBLIC": "2021-02-09T23:00:00.000Z", "ID": "CVE-2021-21030", "STATE": "PUBLIC", "TITLE": "Magento Commerce Stored Cross-site Scripting Could Lead To Arbitrary Javascript Execution"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Magento Commerce", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.4.1"}, {"version_affected": "<=", "version_value": "2.4.0-p1"}, {"version_affected": "<=", "version_value": "2.3.6"}, {"version_affected": "<=", "version_value": "None"}]}}]}, "vendor_name": "Adobe"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting (XSS) in the customer address upload feature. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Exploitation of this issue requires user interaction."}]}, "impact": {"cvss": {"attackComplexity": "None", "attackVector": "None", "availabilityImpact": "None", "baseScore": 8.1, "baseSeverity": "High", "confidentialityImpact": "None", "integrityImpact": "None", "privilegesRequired": "None", "scope": "None", "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-site Scripting (Stored XSS) (CWE-79)"}]}]}, "references": {"reference_data": [{"name": "https://helpx.adobe.com/security/products/magento/apsb21-08.html", "refsource": "MISC", "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:01:13.639Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"}]}]}, "cveMetadata": {"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "assignerShortName": "adobe", "cveId": "CVE-2021-21030", "datePublished": "2021-02-11T19:29:31.185589Z", "dateReserved": "2020-12-18T00:00:00", "dateUpdated": "2024-09-16T19:19:56.211Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : Magento Commerce (string)

vendor : Adobe (string)

versions : [ »

0 : { »

lessThanOrEqual : 2.4.1 (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

1 : { »

lessThanOrEqual : 2.4.0-p1 (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

2 : { »

lessThanOrEqual : 2.3.6 (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

3 : { »

lessThanOrEqual : None (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

]

}

]

datePublic : 2021-02-09T00:00:00 (string)

descriptions : [ »

0 : { »

lang : en (string)

value : Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting (XSS) in the customer address upload feature. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Exploitation of this issue requires user interaction. (string)

}

]

metrics : [ »

0 : { »

cvssV3_0 : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 8.1 (number)

baseSeverity : HIGH (string)

confidentialityImpact : HIGH (string)

integrityImpact : HIGH (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N (string)

version : 3.0 (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

cweId : CWE-79 (string)

description : Cross-site Scripting (Stored XSS) (CWE-79) (string)

lang : en (string)

type : CWE (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2021-02-11T19:29:31 (string)

orgId : 078d4453-3bcd-4900-85e6-15281da43538 (string)

shortName : adobe (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://helpx.adobe.com/security/products/magento/apsb21-08.html (string)

}

]

source : { »

discovery : EXTERNAL (string)

}

title : Magento Commerce Stored Cross-site Scripting Could Lead To Arbitrary Javascript Execution (string)

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : psirt@adobe.com (string)

DATE_PUBLIC : 2021-02-09T23:00:00.000Z (string)

ID : CVE-2021-21030 (string)

STATE : PUBLIC (string)

TITLE : Magento Commerce Stored Cross-site Scripting Could Lead To Arbitrary Javascript Execution (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : Magento Commerce (string)

version : { »

version_data : [ »

0 : { »

version_affected : <= (string)

version_value : 2.4.1 (string)

}

1 : { »

version_affected : <= (string)

version_value : 2.4.0-p1 (string)

}

2 : { »

version_affected : <= (string)

version_value : 2.3.6 (string)

}

3 : { »

version_affected : <= (string)

version_value : None (string)

}

]

}

]

}

vendor_name : Adobe (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting (XSS) in the customer address upload feature. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Exploitation of this issue requires user interaction. (string)

}

]

}

impact : { »

cvss : { »

attackComplexity : None (string)

attackVector : None (string)

availabilityImpact : None (string)

baseScore : 8.1 (number)

baseSeverity : High (string)

confidentialityImpact : None (string)

integrityImpact : None (string)

privilegesRequired : None (string)

scope : None (string)

userInteraction : None (string)

vectorString : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N (string)

version : 3.1 (string)

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : Cross-site Scripting (Stored XSS) (CWE-79) (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://helpx.adobe.com/security/products/magento/apsb21-08.html (string)

refsource : MISC (string)

url : https://helpx.adobe.com/security/products/magento/apsb21-08.html (string)

}

]

}

source : { »

discovery : EXTERNAL (string)

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-03T18:01:13.639Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://helpx.adobe.com/security/products/magento/apsb21-08.html (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 078d4453-3bcd-4900-85e6-15281da43538 (string)

assignerShortName : adobe (string)

cveId : CVE-2021-21030 (string)

datePublished : 2021-02-11T19:29:31.185589Z (string)

dateReserved : 2020-12-18T00:00:00 (string)

dateUpdated : 2024-09-16T19:19:56.211Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*", "matchCriteriaId": "14B6B496-E849-4935-B3D8-8BDB8DDD59A3", "versionEndExcluding": "2.3.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*", "matchCriteriaId": "79C3A2B0-AE14-4D0F-BEE2-82FC00BE6087", "versionEndExcluding": "2.3.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.3.6:-:*:*:commerce:*:*:*", "matchCriteriaId": "F9C60780-1213-4D06-A4C4-CC915C952B7B", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.3.6:-:*:*:open_source:*:*:*", "matchCriteriaId": "3CCEDD72-7195-495C-A9B6-9D18BA9756F7", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.0:-:*:*:commerce:*:*:*", "matchCriteriaId": "05F799AA-CDC0-409F-BB7E-CB941D6FB189", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.0:-:*:*:open_source:*:*:*", "matchCriteriaId": "600AA27A-D2A8-41C3-8631-74ECF7453E78", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.0:p1:*:*:commerce:*:*:*", "matchCriteriaId": "67683B07-34CD-4DD2-A6C9-C71733007397", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.0:p1:*:*:open_source:*:*:*", "matchCriteriaId": "ECA32B69-E9D8-4C01-ACDC-E0F885D937FB", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.1:-:*:*:commerce:*:*:*", "matchCriteriaId": "80860D39-0D51-47B3-BA92-F473ADA1BBC3", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.1:-:*:*:open_source:*:*:*", "matchCriteriaId": "2ADFE661-AB9C-4387-AC4F-D14A0717C2B8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting (XSS) in the customer address upload feature. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Exploitation of this issue requires user interaction."}, {"lang": "es", "value": "Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), son vulnerables a un ataque de tipo cross-site scripting (XSS) almacenado en la funcionalidad de carga de la direcci\u00f3n del cliente.&#xa0;Una explotaci\u00f3n con \u00e9xito podr\u00eda conllevar a una ejecuci\u00f3n arbitraria de JavaScript en el navegador de la v\u00edctima.&#xa0;Una explotaci\u00f3n de este problema requiere una interacci\u00f3n del usuario"}], "id": "CVE-2021-21030", "lastModified": "2024-11-21T05:47:26.037", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "psirt@adobe.com", "type": "Secondary"}]}, "published": "2021-02-11T20:15:14.827", "references": [{"source": "psirt@adobe.com", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@adobe.com", "type": "Secondary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:* (string)

matchCriteriaId : 14B6B496-E849-4935-B3D8-8BDB8DDD59A3 (string)

versionEndExcluding : 2.3.6 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:* (string)

matchCriteriaId : 79C3A2B0-AE14-4D0F-BEE2-82FC00BE6087 (string)

versionEndExcluding : 2.3.6 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:magento:magento:2.3.6:-:*:*:commerce:*:*:* (string)

matchCriteriaId : F9C60780-1213-4D06-A4C4-CC915C952B7B (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:a:magento:magento:2.3.6:-:*:*:open_source:*:*:* (string)

matchCriteriaId : 3CCEDD72-7195-495C-A9B6-9D18BA9756F7 (string)

vulnerable : true (boolean)

}

4 : { »

criteria : cpe:2.3:a:magento:magento:2.4.0:-:*:*:commerce:*:*:* (string)

matchCriteriaId : 05F799AA-CDC0-409F-BB7E-CB941D6FB189 (string)

vulnerable : true (boolean)

}

5 : { »

criteria : cpe:2.3:a:magento:magento:2.4.0:-:*:*:open_source:*:*:* (string)

matchCriteriaId : 600AA27A-D2A8-41C3-8631-74ECF7453E78 (string)

vulnerable : true (boolean)

}

6 : { »

criteria : cpe:2.3:a:magento:magento:2.4.0:p1:*:*:commerce:*:*:* (string)

matchCriteriaId : 67683B07-34CD-4DD2-A6C9-C71733007397 (string)

vulnerable : true (boolean)

}

7 : { »

criteria : cpe:2.3:a:magento:magento:2.4.0:p1:*:*:open_source:*:*:* (string)

matchCriteriaId : ECA32B69-E9D8-4C01-ACDC-E0F885D937FB (string)

vulnerable : true (boolean)

}

8 : { »

criteria : cpe:2.3:a:magento:magento:2.4.1:-:*:*:commerce:*:*:* (string)

matchCriteriaId : 80860D39-0D51-47B3-BA92-F473ADA1BBC3 (string)

vulnerable : true (boolean)

}

9 : { »

criteria : cpe:2.3:a:magento:magento:2.4.1:-:*:*:open_source:*:*:* (string)

matchCriteriaId : 2ADFE661-AB9C-4387-AC4F-D14A0717C2B8 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting (XSS) in the customer address upload feature. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Exploitation of this issue requires user interaction. (string)

}

1 : { »

lang : es (string)

value : Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), son vulnerables a un ataque de tipo cross-site scripting (XSS) almacenado en la funcionalidad de carga de la dirección del cliente. Una explotación con éxito podría conllevar a una ejecución arbitraria de JavaScript en el navegador de la víctima. Una explotación de este problema requiere una interacción del usuario (string)

}

]

id : CVE-2021-21030 (string)

lastModified : 2024-11-21T05:47:26.037 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : MEDIUM (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : NONE (string)

baseScore : 4.3 (number)

confidentialityImpact : NONE (string)

integrityImpact : PARTIAL (string)

vectorString : AV:N/AC:M/Au:N/C:N/I:P/A:N (string)

version : 2.0 (string)

}

exploitabilityScore : 8.6 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : true (boolean)

}

]

cvssMetricV30 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 8.1 (number)

baseSeverity : HIGH (string)

confidentialityImpact : HIGH (string)

integrityImpact : HIGH (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N (string)

version : 3.0 (string)

}

exploitabilityScore : 2.8 (number)

impactScore : 5.2 (number)

source : psirt@adobe.com (string)

type : Secondary (string)

}

]

}

published : 2021-02-11T20:15:14.827 (string)

references : [ »

0 : { »

source : psirt@adobe.com (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://helpx.adobe.com/security/products/magento/apsb21-08.html (string)

}

1 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://helpx.adobe.com/security/products/magento/apsb21-08.html (string)

}

]

sourceIdentifier : psirt@adobe.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-79 (string)

}

]

source : psirt@adobe.com (string)

type : Secondary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object