Vulnerability Description
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability in the customer address upload feature that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Adobe | Adobe Commerce | >= 2.3.0, <= 2.3.7 |
| Adobe | Magento Open Source | >= 2.3.0, <= 2.3.7 |
Related Weaknesses (CWE)
References
- https://helpx.adobe.com/security/products/magento/apsb21-64.htmlPatchVendor Advisory
- https://helpx.adobe.com/security/products/magento/apsb21-64.htmlPatchVendor Advisory
FAQ
What is CVE-2021-36026?
CVE-2021-36026 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability in the customer address upload feature that co...
How severe is CVE-2021-36026?
CVE-2021-36026 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-36026?
Check the references section above for vendor advisories and patch information. Affected products include: Adobe Adobe Commerce, Adobe Magento Open Source.