XML Injection (aka Blind XPath Injection)

CVE-2021-21019

High

9.1/10

Summary

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the Widgets module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: CHANGED
User Interaction: NONE
Privileges Required: HIGH
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-91 - XML Injection (aka Blind XPath Injection)

The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

References

Advisory Timeline

Published Feb 11, 2021

XML Injection (aka Blind XPath Injection)

CVE-2021-21019

Summary

CWE-91 - XML Injection (aka Blind XPath Injection)

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS