{"containers": {"cna": {"affected": [{"product": "Magento Commerce", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "2.4.1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "2.4.0-p1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "2.3.6", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2021-02-09T00:00:00", "descriptions": [{"lang": "en", "value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to OS command injection via the WebAPI. Successful exploitation could lead to remote code execution by an authenticated attacker. Access to the admin console is required for successful exploitation."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-02-11T19:38:50", "orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Magento Commerce Unauthorized Data Modification Could Lead to Arbitrary Code Execution", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@adobe.com", "DATE_PUBLIC": "2021-02-09T23:00:00.000Z", "ID": "CVE-2021-21016", "STATE": "PUBLIC", "TITLE": "Magento Commerce Unauthorized Data Modification Could Lead to Arbitrary Code Execution"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Magento Commerce", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.4.1"}, {"version_affected": "<=", "version_value": "2.4.0-p1"}, {"version_affected": "<=", "version_value": "2.3.6"}]}}]}, "vendor_name": "Adobe"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to OS command injection via the WebAPI. Successful exploitation could lead to remote code execution by an authenticated attacker. Access to the admin console is required for successful exploitation."}]}, "impact": {"cvss": {"attackComplexity": "None", "attackVector": "None", "availabilityImpact": "None", "baseScore": 9.1, "baseSeverity": "Critical", "confidentialityImpact": "None", "integrityImpact": "None", "privilegesRequired": "None", "scope": "None", "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)"}]}]}, "references": {"reference_data": [{"name": "https://helpx.adobe.com/security/products/magento/apsb21-08.html", "refsource": "MISC", "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:53:23.210Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"}]}]}, "cveMetadata": {"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "assignerShortName": "adobe", "cveId": "CVE-2021-21016", "datePublished": "2021-02-11T19:38:50.385879Z", "dateReserved": "2020-12-18T00:00:00", "dateUpdated": "2024-09-16T20:12:07.684Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*", "matchCriteriaId": "14B6B496-E849-4935-B3D8-8BDB8DDD59A3", "versionEndExcluding": "2.3.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*", "matchCriteriaId": "79C3A2B0-AE14-4D0F-BEE2-82FC00BE6087", "versionEndExcluding": "2.3.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.3.6:-:*:*:commerce:*:*:*", "matchCriteriaId": "F9C60780-1213-4D06-A4C4-CC915C952B7B", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.3.6:-:*:*:open_source:*:*:*", "matchCriteriaId": "3CCEDD72-7195-495C-A9B6-9D18BA9756F7", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.0:-:*:*:commerce:*:*:*", "matchCriteriaId": "05F799AA-CDC0-409F-BB7E-CB941D6FB189", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.0:-:*:*:open_source:*:*:*", "matchCriteriaId": "600AA27A-D2A8-41C3-8631-74ECF7453E78", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.0:p1:*:*:commerce:*:*:*", "matchCriteriaId": "67683B07-34CD-4DD2-A6C9-C71733007397", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.0:p1:*:*:open_source:*:*:*", "matchCriteriaId": "ECA32B69-E9D8-4C01-ACDC-E0F885D937FB", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.1:-:*:*:commerce:*:*:*", "matchCriteriaId": "80860D39-0D51-47B3-BA92-F473ADA1BBC3", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.1:-:*:*:open_source:*:*:*", "matchCriteriaId": "2ADFE661-AB9C-4387-AC4F-D14A0717C2B8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to OS command injection via the WebAPI. Successful exploitation could lead to remote code execution by an authenticated attacker. Access to the admin console is required for successful exploitation."}, {"lang": "es", "value": "Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), son vulnerables a una inyecci\u00f3n de comandos del Sistema Operativo por medio de la WebAPI.&#xa0;Una explotaci\u00f3n con \u00e9xito podr\u00eda conllevar a una ejecuci\u00f3n de c\u00f3digo remota por parte de un atacante autenticado.&#xa0;Es requerido un acceso a la consola de administraci\u00f3n para una explotaci\u00f3n con \u00e9xito"}], "id": "CVE-2021-21016", "lastModified": "2024-11-21T05:47:24.507", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "psirt@adobe.com", "type": "Secondary"}]}, "published": "2021-02-11T20:15:13.920", "references": [{"source": "psirt@adobe.com", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "psirt@adobe.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}