magento/community-edition

Packagist317 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting magento/community-editionpage 5 of 7

CVE-2021-36033CRITICALCVSS 9.1EG 9.1
2021-09-01
vulnerable: 2.4.2
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to…
CVE-2021-36034CRITICALCVSS 9.1EG 9.1✓ Fixed in 2.3.7-p1
2021-09-01
vulnerable: 0.1.0-alpha100 ... 2.3.7 (122 versions)
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to achieve remo…
CVE-2021-36036HIGHCVSS 7.2EG 7.2
2023-09-06
vulnerable: 2.4.2
Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted file in the websit…
CVE-2021-36037MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.3.7-p1
2021-09-01
vulnerable: 0.1.0-alpha100 ... 2.3.7 (122 versions)
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. An authenticated attacker could leverage this vulnerability to achieve sensitiv…
CVE-2021-36038MEDIUMCVSS 6.5EG 6.5
2021-09-01
vulnerable: 2.4.2
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the Multishipping Module. An authenticated attacker could leverage this vulnerabili…
CVE-2021-36039MEDIUMCVSS 6.5EG 6.5
2021-09-01
vulnerable: 2.4.2
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability via the `quoteId` parameter. An attacker can abuse this vulnerability to disclose sens…
CVE-2021-36040CRITICALCVSS 9.1EG 9.1✓ Fixed in 2.3.7-p1
2021-09-01
vulnerable: 0.1.0-alpha100 ... 2.3.7 (122 versions)
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to bypass file …
CVE-2021-36041CRITICALCVSS 9.1EG 9.1
2021-09-01
vulnerable: 2.4.2
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges could upload a specially crafted file in the 'pub/m…
CVE-2021-36042CRITICALCVSS 9.1EG 9.1✓ Fixed in 2.3.7-p1
2021-09-01
vulnerable: 0.1.0-alpha100 ... 2.3.7 (122 versions)
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the API File Option Upload Extension. An attacker with Admin privileges can achieve…
CVE-2021-36043HIGHCVSS 8.0EG 8.0
2021-09-01
vulnerable: 2.4.2
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a blind SSRF vulnerability in the bundled dotmailer extension. An attacker with admin privileges could abuse this to achieve remo…
CVE-2021-36044HIGHCVSS 7.5EG 7.5✓ Fixed in 2.3.7-p1
2021-09-01
vulnerable: 0.1.0-alpha100 ... 2.3.7 (122 versions)
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An unauthenticated attacker could abuse this vulnerability to cause a server-side den…
CVE-2021-39864MEDIUMCVSS 6.5EG 6.5
2021-10-15
vulnerable: 2.4.2
Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized a…
CVE-2022-24086CRITICALCVSS 9.8EG 9.8⚠ KEV✓ Fixed in 2.4.3-p2
2022-02-16
vulnerable: 2.4.0 ... 2.4.3-p1 (9 versions)
Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result…
CVE-2022-24093CRITICALCVSS 9.1EG 9.1✓ Fixed in 2.3.7-p3
2023-09-12
vulnerable: 2.3.7-p1, 2.3.7-p2
Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability. Exploitation of this issue does not require user interaction and could result in a post-authentication ar…
CVE-2022-34253HIGHCVSS 7.2EG 7.2✓ Fixed in 2.4.3-p3
2022-08-16
vulnerable: 2.4.0 ... 2.4.3-p2 (10 versions)
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script t…
CVE-2022-34254HIGHCVSS 8.8EG 8.8✓ Fixed in 2.4.5
2022-08-16
vulnerable: 2.4.4 ... 2.4.4-p7 (8 versions)
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could be abused by an attac…
CVE-2022-34255HIGHCVSS 8.8EG 8.8✓ Fixed in 2.4.3-p3
2022-08-16
vulnerable: 2.4.0 ... 2.4.3-p2 (10 versions)
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in Privilege escalation. An attacker with a low privilege account cou…
CVE-2022-34256HIGHCVSS 7.5EG 7.5✓ Fixed in 2.4.3-p3
2022-08-16
vulnerable: 2.4.0 ... 2.4.3-p2 (10 versions)
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability…
CVE-2022-34257MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.4.3-p3
2022-08-16
vulnerable: 2.4.0 ... 2.4.3-p2 (10 versions)
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerabl…
CVE-2022-34258MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.4.3-p3
2022-08-16
vulnerable: 2.4.0 ... 2.4.3-p2 (10 versions)
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker with admin privileges to inject malicious …
CVE-2022-34259MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.4.3-p3
2022-08-16
vulnerable: 2.4.0 ... 2.4.3-p2 (10 versions)
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnera…
CVE-2022-35689MEDIUMCVSS 5.3EG 5.3
2022-10-14
vulnerable: 2.4.3
Adobe Commerce versions 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the ava…
CVE-2022-35692MEDIUMCVSS 5.3EG 5.3
2022-08-19
vulnerable: 2.4.3
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnera…
CVE-2022-35698CRITICALCVSS 10.0EG 10.0
2022-10-14
vulnerable: 2.4.3
Adobe Commerce versions 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by a Stored Cross-site Scripting vulnerability. Exploitation of this issue does not require user interaction and could result in a post-authentication arbi…
CVE-2022-42344HIGHCVSS 8.8EG 8.8✓ Fixed in 2.4.5
2022-10-20
vulnerable: 2.4.4 ... 2.4.4-p8 (9 versions)
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Incorrect Authorization vulnerability. An authenticated attacker can exploit this vulnerability to achieve information exposu…
CVE-2023-22247HIGHCVSS 7.5EG 7.5
2023-03-27
vulnerable: 2.4.4
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An unauthenticated attacker can force the application to make arbitrary…
CVE-2023-22248HIGHCVSS 7.5EG 7.5
2023-06-15
vulnerable: 2.4.5
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnera…
CVE-2023-22249MEDIUMCVSS 4.8EG 4.8
2023-03-27
vulnerable: 2.4.5-p1
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form…
CVE-2023-22250MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.4.5-p2
2023-03-27
vulnerable: 2.4.5-p1
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the …
CVE-2023-22251MEDIUMCVSS 4.3EG 4.3
2023-03-27
vulnerable: 2.4.4
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Incorrect Authorization vulnerability. A low-privileged authenticated attacker could leverage this vulnerability to achieve minor information disc…
CVE-2023-26366MEDIUMCVSS 6.8EG 6.8✓ Fixed in 2.4.4-p6
2023-10-13
vulnerable: 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4, 2.4.4-p5
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. …
CVE-2023-26367MEDIUMCVSS 4.9EG 4.9✓ Fixed in 2.4.4-p6
2023-10-13
vulnerable: 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4, 2.4.4-p5
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read by an adm…
CVE-2023-29287MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.4.4-p4
2023-06-15
vulnerable: 2.4.4-p1, 2.4.4-p2, 2.4.4-p3
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Information Exposure vulnerability that could lead to a security feature bypass. An attacker could leverage this vulnerabilit…
CVE-2023-29288MEDIUMCVSS 4.3EG 4.3
2023-06-15
vulnerable: 2.4.5
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A privileged attacker could leverage th…
CVE-2023-29289MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.4.4-p4
2023-06-15
vulnerable: 2.4.4-p1, 2.4.4-p2, 2.4.4-p3
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an XML Injection vulnerability. An attacker with low privileges can trigger a specially crafted script to a security feature byp…
CVE-2023-29290MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.4.4-p4
2023-06-15
vulnerable: 2.4.4-p1, 2.4.4-p2, 2.4.4-p3
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnera…
CVE-2023-29291MEDIUMCVSS 4.9EG 4.9
2023-06-15
vulnerable: 2.4.4
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. An admin-privilege authenticat…
CVE-2023-29292MEDIUMCVSS 4.9EG 4.9✓ Fixed in 2.4.4-p4
2023-06-15
vulnerable: 2.4.4-p1, 2.4.4-p2, 2.4.4-p3
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. An admin-privilege authenticat…
CVE-2023-29293LOWCVSS 2.7EG 2.7✓ Fixed in 2.4.4-p4
2023-06-15
vulnerable: 2.4.4-p1, 2.4.4-p2, 2.4.4-p3
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An admin privileged attacker could le…
CVE-2023-29294MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.4.4-p4
2023-06-15
vulnerable: 2.4.4-p1, 2.4.4-p2, 2.4.4-p3
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Business Logic Errors vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage t…
CVE-2023-29295MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.4.4-p4
2023-06-15
vulnerable: 2.4.4-p1, 2.4.4-p2, 2.4.4-p3
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverag…
CVE-2023-29296MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.4.4-p4
2023-06-15
vulnerable: 2.4.4-p1, 2.4.4-p2, 2.4.4-p3
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverag…
CVE-2023-29297CRITICALCVSS 9.1EG 9.1✓ Fixed in 2.4.4-p4
2023-06-15
vulnerable: 2.4.4-p1, 2.4.4-p2, 2.4.4-p3
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Improper Neutralization of Special Elements Used in a Template Engine vulnerability that could lead to arbitrary code executio…
CVE-2023-38207HIGHCVSS 7.5EG 7.5✓ Fixed in 2.4.4-p5
2023-08-09
vulnerable: 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4
Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by a XML Injection (aka Blind XPath Injection) vulnerability that could lead in minor arbitrary file system read. Exploitation o…
CVE-2023-38208CRITICALCVSS 9.1EG 9.1✓ Fixed in 2.4.4-p5
2023-08-09
vulnerable: 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4
Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead t…
CVE-2023-38209MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.4.4-p5
2023-08-09
vulnerable: 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4
Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by an Incorrect Authorization vulnerability that could lead to a Security feature bypass. A low-privileged attacker could levera…
CVE-2023-38218HIGHCVSS 8.8EG 8.8✓ Fixed in 2.4.4-p6
2023-10-13
vulnerable: 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4, 2.4.4-p5
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Incorrect Authorization . An authenticated attacker can exploit this to achieve information exp…
CVE-2023-38219HIGHCVSS 8.7EG 8.7✓ Fixed in 2.4.4-p6
2023-10-13
vulnerable: 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4, 2.4.4-p5
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacke…
CVE-2023-38220HIGHCVSS 7.5EG 7.5✓ Fixed in 2.4.4-p6
2023-10-13
vulnerable: 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4, 2.4.4-p5
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Authorization vulnerability that could lead in a security feature bypass in a way that…
CVE-2023-38221HIGHCVSS 8.0EG 8.0✓ Fixed in 2.4.4-p6
2023-10-13
vulnerable: 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4, 2.4.4-p5
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerabil…

Check whether magento/community-edition is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for magento/community-edition CVEs against the assets you own.

Start Free Scan →