magento/project-community-edition
Packagist127 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting magento/project-community-editionpage 1 of 3
- CVE-2016-6485HIGHCVSS 7.5EG 7.52017-03-01
vulnerable: 2.0.0, 2.0.0-rc, 2.0.0-rc2, 2.0.1, 2.0.2
The __construct function in Framework/Encryption/Crypt.php in Magento 2 uses the PHP rand function to generate a random number for the initialization vector, which makes it easier for remote attackers to defeat cryptographic protection mec…
- CVE-2019-8114HIGHCVSS 7.2EG 7.2✓ Fixed in 1.9.4.32019-11-05
vulnerable: 0.1.0-alpha100 ... 1.0.0-beta (48 versions)
A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to import features can execute arbitr…
- CVE-2020-24401MEDIUMCVSS 6.5EG 6.52020-11-09
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user's ac…
- CVE-2020-24402MEDIUMCVSS 4.9EG 4.92020-11-09
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to …
- CVE-2020-24403LOWCVSS 2.7EG 2.72020-11-09
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users with Inventory and Source permissions to …
- CVE-2020-24407CRITICALCVSS 9.1EG 9.12020-11-09
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions t…
- CVE-2020-9576CRITICALCVSS 9.8EG 9.82020-06-26
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
- CVE-2020-9577MEDIUMCVSS 6.1EG 6.12020-06-26
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure .
- CVE-2020-9578CRITICALCVSS 9.8EG 9.82020-06-26
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
- CVE-2020-9580CRITICALCVSS 9.8EG 9.82020-06-26
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
- CVE-2020-9581MEDIUMCVSS 6.1EG 6.12020-06-26
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
- CVE-2020-9582CRITICALCVSS 9.8EG 9.82020-06-26
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
- CVE-2020-9583CRITICALCVSS 9.8EG 9.82020-06-26
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
- CVE-2020-9584MEDIUMCVSS 5.4EG 5.42020-06-26
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
- CVE-2020-9585CRITICALCVSS 9.8EG 9.82020-06-26
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a defense-in-depth security mitigation vulnerability. Successful exploitation could lead to arbitrary code execution.
- CVE-2020-9587HIGHCVSS 7.5EG 7.52020-06-26
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have an authorization bypass vulnerability. Successful exploitation could lead to potentially unauthorized product discounts.
- CVE-2020-9588HIGHCVSS 7.2EG 7.22020-06-26
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.
- CVE-2020-9630CRITICALCVSS 9.8EG 9.82020-06-26
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a business logic error vulnerability. Successful exploitation could lead to privilege escalation.
- CVE-2020-9631CRITICALCVSS 9.8EG 9.82020-06-26
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
- CVE-2020-9632CRITICALCVSS 9.8EG 9.82020-06-26
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
- CVE-2020-9689MEDIUMCVSS 6.5EG 6.52020-07-29
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a path traversal vulnerability. Successful exploitation could lead to arbitrary code execution.
- CVE-2020-9691CRITICALCVSS 9.6EG 9.62020-07-29
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a dom-based cross-site scripting vulnerability. Successful exploitation could lead to arbitrary code execution.
- CVE-2021-21014CRITICALCVSS 9.1EG 9.12021-02-11
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to…
- CVE-2021-21016CRITICALCVSS 9.1EG 9.12021-02-11
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to OS command injection via the WebAPI. Successful exploitation could lead to remote code execution by an authenticated attacker. Access to…
- CVE-2021-21020MEDIUMCVSS 5.3EG 5.32021-02-11
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an access control bypass vulnerability in the Login as Customer module. Successful exploitation could lead to unauthorized access to res…
- CVE-2021-21022MEDIUMCVSS 5.3EG 5.32021-02-11
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricte…
- CVE-2021-21023MEDIUMCVSS 4.8EG 4.82021-02-11
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting vulnerability in the admin console. Successful exploitation could lead to arbitrary JavaScript execution i…
- CVE-2021-21025CRITICALCVSS 9.1EG 9.12021-02-11
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the product layout updates. Successful exploitation could lead to arbitrary code execution by an authenticated attacker…
- CVE-2021-21026MEDIUMCVSS 5.3EG 5.32021-02-11
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by an improper authorization vulnerability in the integrations module. Successful exploitation could lead to unauthorized access to restricte…
- CVE-2021-21027MEDIUMCVSS 4.3EG 4.32021-02-11
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via the GraphQL API. Successful exploitation could lead to unauthorized modification of …
- CVE-2021-21030HIGHCVSS 8.1EG 8.12021-02-11
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting (XSS) in the customer address upload feature. Successful exploitation could lead to arbitrary JavaScript e…
- CVE-2021-21031MEDIUMCVSS 5.6EG 5.62021-02-11
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation could lead to unauthorized access to restricted resources. Access to the admin console…
- CVE-2021-21032MEDIUMCVSS 5.6EG 5.62021-02-11
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the…
- CVE-2021-28556MEDIUMCVSS 6.9EG 6.92021-06-28
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a DOM-based Cross-Site Scripting vulnerability on mage-messages cookies. Successful exploitation could lead to arbitrary JavaScript exe…
- CVE-2021-28567MEDIUMCVSS 6.5EG 6.52021-09-08
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Improper Authorization vulnerability in the customers module. Successful exploitation could allow a low-privileged user to modify …
- CVE-2021-28583HIGHCVSS 7.5EG 7.52021-06-28
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Violation of Secure Design Principles vulnerability in RMA PDF filename formats. Successful exploitation could allow an attacker to g…
- CVE-2021-28584MEDIUMCVSS 5.4EG 5.42021-06-28
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Path Traversal vulnerability when creating a store with child theme.Successful exploitation could lead to arbitrary file system write…
- CVE-2021-28585MEDIUMCVSS 5.3EG 5.32021-06-28
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper input validation vulnerability in the New customer WebAPI.Successful exploitation could allow an attacker to send unsolicit…
- CVE-2021-36012MEDIUMCVSS 6.5EG 6.52021-09-01
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a business logic error in the placeOrder graphql mutation. An authenticated attacker can leverage this vulnerability to altar the…
- CVE-2021-36020HIGHCVSS 8.2EG 8.22021-09-01
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the 'City' field. An unauthenticated attacker can trigger a specially crafted script to achieve…
- CVE-2021-36021HIGHCVSS 7.2EG 7.22023-09-06
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper input validation vulnerability within the CMS page scheduled update feature. An authenticated attacker with administrative pri…
- CVE-2021-36022CRITICALCVSS 9.1EG 9.12021-09-01
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted sc…
- CVE-2021-36023CRITICALCVSS 9.1EG 9.12023-09-06
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted sc…
- CVE-2021-36024CRITICALCVSS 9.1EG 9.12021-09-01
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper Neutralization of Special Elements Used In A Command via the Data collection endpoint. An attacker with admin privile…
- CVE-2021-36025CRITICALCVSS 9.1EG 9.12021-09-01
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability while saving a customer's details with a specially crafted file. An authenticated atta…
- CVE-2021-36026MEDIUMCVSS 6.5EG 6.52021-09-01
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability in the customer address upload feature that could be abused by an attacker to inject …
- CVE-2021-36027MEDIUMCVSS 6.5EG 6.52021-09-01
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form …
- CVE-2021-36028CRITICALCVSS 9.1EG 9.12021-09-01
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability when saving a configurable product. An attacker with admin privileges can trigger a specially craf…
- CVE-2021-36029CRITICALCVSS 9.1EG 9.12021-09-01
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. An attacker with admin privileges could leverage this vulnerability to achieve …
- CVE-2021-36030HIGHCVSS 7.5EG 7.52021-09-01
vulnerable: 0.1.0-alpha100 ... 2.0.2 (53 versions)
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability during the checkout process. An unauthenticated attacker can leverage this vulnerabili…
Check whether magento/project-community-edition is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for magento/project-community-edition CVEs against the assets you own.
Start Free Scan →