Security Advisories - magento/community-edition

magento/community-edition Security Advisories for 0.74.0-beta5 (59)

[HIGH] Magento Improper input validation vulnerability

PKSA-228k-hrjg-43zp CVE-2022-42344 GHSA-297f-r9w7-w492

Affected version: =2.4.4|>=2.4.0,<2.4.3-p3|<2.3.7-p4

Reported by:
GitHub
[CRITICAL] Magento XML Injection vulnerability in the Widgets Module

PKSA-ky72-2cr3-p8cw CVE-2022-34253 GHSA-cj7w-pm77-hvg6

Affected version: >=2.4.0,<2.4.3-p3|>=2.4.4,<2.4.5|<2.3.7-p4

Reported by:
GitHub
[MEDIUM] Magento Improper Authorization vulnerability in the customers module

PKSA-98vv-8nyb-ffc5 CVE-2021-28567 GHSA-cc3w-r3w8-hfh7

Affected version: <2.3.7|>=2.4.0,<2.4.2-p1

Reported by:
GitHub
[MEDIUM] Magento DOM-based Cross-Site Scripting vulnerability on mage-messages cookies

PKSA-8582-qjd4-1g8s CVE-2021-28556 GHSA-39ch-rg26-gmq5

Affected version: <2.3.7|>=2.4.0,<2.4.2-p1

Reported by:
GitHub
[MEDIUM] Magento Unauthorized access to restricted resources

PKSA-y9kv-15rd-x7qv CVE-2021-28563 GHSA-q9xx-4689-gvv5

Affected version: <2.3.7|>=2.4.0,<2.4.2-p1

Reported by:
GitHub
[HIGH] Magento Violation of Secure Design Principles vulnerability in RMA PDF filename formats

PKSA-n22f-w4n6-g3fx CVE-2021-28583 GHSA-7gh6-f4jh-3crq

Affected version: <2.3.7|>=2.4.0,<2.4.2-p1

Reported by:
GitHub
[MEDIUM] Magento Path Traversal vulnerability

PKSA-kfxc-51yz-zbnf CVE-2021-28584 GHSA-7gpv-xrjr-f5h4

Affected version: <2.3.7|>=2.4.0,<2.4.2-p1

Reported by:
GitHub
[MEDIUM] Magento Improper input validation vulnerability

PKSA-2gm6-m4rp-6fvz CVE-2021-28585 GHSA-c38m-9668-6j2w

Affected version: <2.3.7|>=2.4.0,<2.4.2-p1

Reported by:
GitHub
[MEDIUM] Magento Insufficient Session Expiration

PKSA-48bg-fxg1-vkpy CVE-2021-21031 GHSA-4h3p-63x6-vwg2

Affected version: <2.3.6|>=2.4.0,<2.4.1-p1

Reported by:
GitHub
[CRITICAL] Magento XML injection in the Widgets module

PKSA-6mpp-zh74-59gd CVE-2021-21019 GHSA-mw95-gmw4-883p

Affected version: >=2.4.0,<2.4.1-p1|<2.3.6-p1

Reported by:
GitHub
[MEDIUM] Magento Insecure Direct Object Reference (IDOR) in the product module

PKSA-tw4y-fk6r-w8j9 CVE-2021-21022 GHSA-8pfq-g48p-x7w8

Affected version: >=2.4.0,<2.4.1-p1|<2.3.6-p1

Reported by:
GitHub
[MEDIUM] Magento stored cross-site scripting vulnerability in the admin console

PKSA-cv47-f2nq-tgnw CVE-2021-21023 GHSA-h5rm-m772-6qcx

Affected version: >=2.4.0,<2.4.1-p1|<2.3.6

Reported by:
GitHub
[CRITICAL] Magento Blind SQL Injection in the Search module

PKSA-392g-81d8-vhhm CVE-2021-21024 GHSA-rj4f-cp4v-hvcv

Affected version: >=2.4.0,<2.4.1-p1|<2.3.6-p1

Reported by:
GitHub
[MEDIUM] Magento improper authorization vulnerability in the integrations module

PKSA-m4ck-h7wd-91mj CVE-2021-21026 GHSA-crjc-2v9m-8w7r

Affected version: >=2.4.0,<2.4.2|<2.3.6-p1

Reported by:
GitHub
[MEDIUM] Magento cross-site request forgery (CSRF) vulnerability via the GraphQL API

PKSA-njqv-gp7y-zc74 CVE-2021-21027 GHSA-h4xc-577p-hgj9

Affected version: >=2.4.0,<2.4.2|<2.3.6-p1

Reported by:
GitHub
[MEDIUM] Magento Reflected Cross-site Scripting vulnerability via 'file' parameter

PKSA-m8rz-jc2c-7m91 CVE-2021-21029 GHSA-jwxh-wj79-ccm6

Affected version: >=2.4.0,<2.4.2|<2.3.6-p1

Reported by:
GitHub
[HIGH] Magento stored cross-site scripting (XSS) in the customer address upload feature

PKSA-7rd2-y8tt-4pxt CVE-2021-21030 GHSA-6988-g89m-27vf

Affected version: >=2.4.0,<2.4.1-p1|<2.3.6

Reported by:
GitHub
[MEDIUM] Magento Insufficient Session Expiration

PKSA-whxx-hqxp-qv8z CVE-2021-21032 GHSA-4jfq-f8hc-775q

Affected version: <2.3.6|>=2.4.0,<2.4.1-p1

Reported by:
GitHub
[CRITICAL] Magento vulnerable to a file upload restriction bypass

PKSA-yt4p-w22g-fdxr CVE-2021-21014 GHSA-269w-pqc7-68q9

Affected version: >=2.4.0,<2.4.2|<2.3.6-p1

Reported by:
GitHub
[CRITICAL] Magento OS Command Injection

PKSA-msgn-qz5c-7csr CVE-2021-21018 GHSA-rv48-v862-mp92

Affected version: >=2.4.0,<2.4.1-p1|<2.3.6

Reported by:
GitHub
[MEDIUM] Magento Improper Access Control

PKSA-rx41-6862-pt82 CVE-2021-21020 GHSA-2j6v-829g-885q

Affected version: >=2.4.0,<2.4.1-p1|<2.3.6

Reported by:
GitHub
[CRITICAL] Magento XPath Injection

PKSA-q4sd-rbfw-bn9m CVE-2021-21025 GHSA-h437-qjj9-vmq4

Affected version: >=2.4.0,<2.4.1-p1|<2.3.6-p1

Reported by:
GitHub
[HIGH] Magento OS command injection via the customer attribute save controller

PKSA-q4dq-szdv-ng3x CVE-2021-21015 GHSA-w2p4-2c8c-2g7h

Affected version: >=2.4.0,<2.4.2|<2.3.6-p1

Reported by:
GitHub
[CRITICAL] Magento OS command injection via the WebAPI

PKSA-g12r-tk3d-rbjb CVE-2021-21016 GHSA-792f-c8mp-2cr5

Affected version: >=2.4.0,<2.4.2|<2.3.6-p1

Reported by:
GitHub
[MEDIUM] Magento incorrect permissions vulnerability in the Inventory module

PKSA-1278-33g9-g9k5 CVE-2020-24405 GHSA-p7m7-j8jv-393q

Affected version: >=2.4.0,<2.4.1|<=2.3.5-p2

Reported by:
GitHub
[LOW] Magento information disclosure vulnerability

PKSA-8tng-rkwh-ddv6 CVE-2020-24406 GHSA-mr8q-7f5j-wc79

Affected version: =2.4.0|<2.3.6

Reported by:
GitHub
[CRITICAL] Magento 2 Community Edition RCE via Unsafe File Upload

PKSA-wd67-z9cy-8cfd CVE-2020-24407 GHSA-7pxg-6p87-8c9v

Affected version: <=2.4.0

Reported by:
GitHub
[HIGH] Magento SQL Injection vulnerability

PKSA-6ppv-y2gp-4ffp CVE-2020-24400 GHSA-pf6w-3pfw-fxvw

Affected version: =2.4.0|<2.3.6

Reported by:
GitHub
[MEDIUM] Magento 2 Community Edition Incorrect Authorization

PKSA-ds46-4wsj-k4fh CVE-2020-24401 GHSA-f2g3-3c6q-4478

Affected version: <=2.4.0

Reported by:
GitHub
[MEDIUM] Magento incorrect permissions vulnerability in the Integrations component

PKSA-36s1-jszf-m523 CVE-2020-24402 GHSA-hvf5-4jr9-fghh

Affected version: =2.4.0|<2.3.6

Reported by:
GitHub
[LOW] Magento incorrect user permissions vulnerability within the Inventory component

PKSA-g8kq-c8yg-8h4p CVE-2020-24403 GHSA-39rw-4m66-82gf

Affected version: =2.4.0|<2.3.6

Reported by:
GitHub
[LOW] Magento 2 Community Edition vulnerable to Improper Authorization

PKSA-jj68-r2qs-83z3 CVE-2020-24404 GHSA-rwf7-652f-76mv

Affected version: =2.4.0|<2.3.6

Reported by:
GitHub
[MEDIUM] Magento 2 Community Edition XSS Vulnerability

PKSA-rs6t-7sf8-mdt8 CVE-2020-24408 GHSA-jxjc-6xmh-h7mg

Affected version: <=2.4.0

Reported by:
GitHub
[MEDIUM] Magento observable timing discrepancy vulnerability

PKSA-sgbm-w22w-8y5q CVE-2020-9690 GHSA-xgp9-j48h-jjf9

Affected version: <2.3.5-p2

Reported by:
GitHub
[CRITICAL] Magento DOM-based Cross-site scripting vulnerability

PKSA-1h3y-11mm-5s7z CVE-2020-9691 GHSA-g7pc-799q-743f

Affected version: <2.3.5-p2

Reported by:
GitHub
[MEDIUM] Magento security mitigation bypass vulnerability

PKSA-n3wq-hxkj-qzzb CVE-2020-9692 GHSA-vqg7-8v6x-54rq

Affected version: <2.3.5-p2

Reported by:
GitHub
[MEDIUM] Magento path traversal vulnerability

PKSA-91z4-mk4h-z382 CVE-2020-9689 GHSA-fr6f-xmfx-rrpq

Affected version: <2.3.5-p2

Reported by:
GitHub
[CRITICAL] Magento business logic error vulnerability

PKSA-y4vw-rdhk-sn74 CVE-2020-9630 GHSA-5j4w-v87m-8r65

Affected version: >=2.3.0,<2.3.4-p2|<=2.2.11

Reported by:
GitHub
[CRITICAL] Magento security mitigation bypass vulnerability

PKSA-1wqx-1cnj-jtp2 CVE-2020-9632 GHSA-6w29-x5j4-qhrw

Affected version: >=2.3.0,<2.3.4-p2|<=2.2.11

Reported by:
GitHub
[CRITICAL] Magento security mitigation bypass vulnerability

PKSA-wwnj-swgj-jknn CVE-2020-9631 GHSA-gffx-9f36-r8wp

Affected version: <=2.2.11|>=2.3.0,<2.3.4-p2

Reported by:
GitHub
[HIGH] Magento defense-in-depth security mitigation vulnerability

PKSA-sgdg-25nh-np4c CVE-2020-9591 GHSA-w7rh-9w5v-rwqj

Affected version: <=2.2.11|>=2.3.0,<2.3.4-p2

Reported by:
GitHub
[CRITICAL] Magento command injection vulnerability

PKSA-n9xc-krkj-r2rd CVE-2020-9582 GHSA-c3m4-hxv9-4mxj

Affected version: <2.2.12|>=2.3.0,<2.3.4-p2

Reported by:
GitHub
[CRITICAL] Magento command injection vulnerability

PKSA-mznr-75rk-j8zy CVE-2020-9583 GHSA-c55h-7q4j-g6rq

Affected version: >=2.3.0,<2.3.4-p2|<=2.2.11

Reported by:
GitHub
[MEDIUM] Magento Stored cross-site scripting

PKSA-7nyp-tyvm-1rdx CVE-2020-9584 GHSA-45h4-6gcj-6hwv

Affected version: <2.2.12|>=2.3.0,<2.3.4-p2

Reported by:
GitHub
[CRITICAL] Magento Defense-in-depth security mitigation vulnerability

PKSA-n8n5-6cpw-fk4g CVE-2020-9585 GHSA-55gv-hfg3-hwjq

Affected version: >=2.3.0,<2.3.4-p2|<=2.2.11

Reported by:
GitHub
[HIGH] Magento authorization bypass vulnerability

PKSA-zsx8-bvvd-km6v CVE-2020-9587 GHSA-8wm7-h2qh-ff4c

Affected version: >=2.3.0,<2.3.4-p2|<=2.2.11

Reported by:
GitHub
[HIGH] Magento Signature verification bypass

PKSA-wspv-8fs3-txw3 CVE-2020-9588 GHSA-j2r4-2cr6-h3r3

Affected version: <2.3.4-p2

Reported by:
GitHub
[CRITICAL] Magento command injection vulnerability

PKSA-g7vm-z2q8-7j7n CVE-2020-9576 GHSA-4f7x-gjqc-qqpg

Affected version: <2.2.12|>=2.3.0,<2.3.4-p2

Reported by:
GitHub
[MEDIUM] Magento stored cross-site scripting vulnerability

PKSA-pvdt-18mg-45y5 CVE-2020-9577 GHSA-689w-2f93-2x67

Affected version: <2.3.4-p2

Reported by:
GitHub
[CRITICAL] Magento command injection vulnerability

PKSA-qwf4-q3k1-nwcz CVE-2020-9578 GHSA-724x-gqhv-9c5x

Affected version: >=2.3.0,<2.3.4-p2|<=2.2.11

Reported by:
GitHub
[CRITICAL] Magento Security mitigation bypass vulnerability

PKSA-dggw-rfy7-2ck2 CVE-2020-9579 GHSA-vrp3-wc28-qg2h

Affected version: >=2.3.0,<2.3.4-p2|<=2.2.11

Reported by:
GitHub
[CRITICAL] Magento Security mitigation bypass vulnerability

PKSA-y417-v5jy-hdq4 CVE-2020-9580 GHSA-j2jp-58gv-g2pg

Affected version: >=2.3.0,<2.3.4-p2|<=2.2.11

Reported by:
GitHub
[MEDIUM] Magento stored cross-site scripting vulnerability

PKSA-5gvz-2437-gh1r CVE-2020-9581 GHSA-2w2x-7qgj-4x78

Affected version: >=2.3.0,<2.3.4-p2|<=2.2.11

Reported by:
GitHub
[MEDIUM] Magento stored cross-site scripting vulnerability

PKSA-cc2t-kk7v-64hm CVE-2020-3715 GHSA-mgg3-v948-2vgr

Affected version: <=2.2.10|>=2.3.0,<=2.3.3

Reported by:
GitHub
[CRITICAL] Magento security bypass vulnerability

PKSA-ct8f-pj9p-dqrm CVE-2020-3718 GHSA-x9p7-vgp2-9pq2

Affected version: <=2.2.10|>=2.3.0,<=2.3.3

Reported by:
GitHub
[HIGH] Magento sql injection vulnerability

PKSA-q23r-htfp-sg1j CVE-2020-3719 GHSA-rr59-pjwj-6grj

Affected version: <=2.2.10|>=2.3.0,<=2.3.3

Reported by:
GitHub
[MEDIUM] Magento stored cross-site scripting vulnerability

PKSA-f461-4xh2-5s64 CVE-2020-3758 GHSA-p5q3-xg47-653m

Affected version: <=2.2.10|>=2.3.0,<=2.3.3

Reported by:
GitHub
[HIGH] Magento 2 Community Edition RCE Vulnerability

PKSA-qvmd-xx88-c5j8 CVE-2019-8114 GHSA-crv7-r357-gw3w

Affected version: >=2.3.0,<2.3.2-p2|>=2.2.0,<2.2.10|<1.9.4.3

Reported by:
GitHub
[MEDIUM] Magento Cross-Site Request Forgery (CSRF)

PKSA-hkd6-7s85-q9n9 CVE-2018-5301 GHSA-w3mq-67mw-3p9f

Affected version: >=2.1.0,<2.1.2|<2.0.10

Reported by:
GitHub

magento/community-edition Security Advisories for 0.74.0-beta5 (59)

[HIGH] Magento Improper input validation vulnerability

[CRITICAL] Magento XML Injection vulnerability in the Widgets Module

[MEDIUM] Magento Improper Authorization vulnerability in the customers module

[MEDIUM] Magento DOM-based Cross-Site Scripting vulnerability on mage-messages cookies

[MEDIUM] Magento Unauthorized access to restricted resources

[HIGH] Magento Violation of Secure Design Principles vulnerability in RMA PDF filename formats

[MEDIUM] Magento Path Traversal vulnerability

[MEDIUM] Magento Improper input validation vulnerability

[MEDIUM] Magento Insufficient Session Expiration

[CRITICAL] Magento XML injection in the Widgets module

[MEDIUM] Magento Insecure Direct Object Reference (IDOR) in the product module

[MEDIUM] Magento stored cross-site scripting vulnerability in the admin console

[CRITICAL] Magento Blind SQL Injection in the Search module

[MEDIUM] Magento improper authorization vulnerability in the integrations module

[MEDIUM] Magento cross-site request forgery (CSRF) vulnerability via the GraphQL API

[MEDIUM] Magento Reflected Cross-site Scripting vulnerability via 'file' parameter

[HIGH] Magento stored cross-site scripting (XSS) in the customer address upload feature

[MEDIUM] Magento Insufficient Session Expiration

[CRITICAL] Magento vulnerable to a file upload restriction bypass

[CRITICAL] Magento OS Command Injection

[MEDIUM] Magento Improper Access Control

[CRITICAL] Magento XPath Injection

[HIGH] Magento OS command injection via the customer attribute save controller

[CRITICAL] Magento OS command injection via the WebAPI

[MEDIUM] Magento incorrect permissions vulnerability in the Inventory module

[LOW] Magento information disclosure vulnerability

[CRITICAL] Magento 2 Community Edition RCE via Unsafe File Upload

[HIGH] Magento SQL Injection vulnerability

[MEDIUM] Magento 2 Community Edition Incorrect Authorization

[MEDIUM] Magento incorrect permissions vulnerability in the Integrations component

[LOW] Magento incorrect user permissions vulnerability within the Inventory component

[LOW] Magento 2 Community Edition vulnerable to Improper Authorization

[MEDIUM] Magento 2 Community Edition XSS Vulnerability

[MEDIUM] Magento observable timing discrepancy vulnerability

[CRITICAL] Magento DOM-based Cross-site scripting vulnerability

[MEDIUM] Magento security mitigation bypass vulnerability

[MEDIUM] Magento path traversal vulnerability

[CRITICAL] Magento business logic error vulnerability

[CRITICAL] Magento security mitigation bypass vulnerability

[CRITICAL] Magento security mitigation bypass vulnerability

[HIGH] Magento defense-in-depth security mitigation vulnerability

[CRITICAL] Magento command injection vulnerability

[CRITICAL] Magento command injection vulnerability

[MEDIUM] Magento Stored cross-site scripting

[CRITICAL] Magento Defense-in-depth security mitigation vulnerability

[HIGH] Magento authorization bypass vulnerability

[HIGH] Magento Signature verification bypass

[CRITICAL] Magento command injection vulnerability

[MEDIUM] Magento stored cross-site scripting vulnerability

[CRITICAL] Magento command injection vulnerability

[CRITICAL] Magento Security mitigation bypass vulnerability

[CRITICAL] Magento Security mitigation bypass vulnerability

[MEDIUM] Magento stored cross-site scripting vulnerability

[MEDIUM] Magento stored cross-site scripting vulnerability

[CRITICAL] Magento security bypass vulnerability

[HIGH] Magento sql injection vulnerability

[MEDIUM] Magento stored cross-site scripting vulnerability

[HIGH] Magento 2 Community Edition RCE Vulnerability

[MEDIUM] Magento Cross-Site Request Forgery (CSRF)