Description

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a Reflected Cross-site Scripting vulnerability via 'file' parameter. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation.

Remediation

References

CVE-2021-21029

Related Vulnerabilities

WordPress Plugin Advanced Ads-Ad Manager & AdSense Cross-Site Scripting (1.17.3)

Telerik Web UI Deserialization of Untrusted Data Vulnerability (CVE-2019-18935)

WordPress Plugin Stripe Payment for WooCommerce Cross-Site Scripting (3.5.9)

WordPress Plugin Soundy Background Music Cross-Site Scripting (3.9)

Oracle JRE CVE-2014-0429 Vulnerability (CVE-2014-0429)

Severity

Medium

Classification

CVE-2021-21029 CWE-707 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities