Skip to content

Commit 0cc5508

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-4g27-q2w9-m8m8 GHSA-8cjg-f53m-8m9q GHSA-wqr6-wv6c-p8fx GHSA-399j-vxmf-hjvr GHSA-4g27-q2w9-m8m8 GHSA-8cjg-f53m-8m9q GHSA-wqr6-wv6c-p8fx
1 parent c7c41ab commit 0cc5508

File tree

7 files changed

+384
-112
lines changed

7 files changed

+384
-112
lines changed

advisories/github-reviewed/2023/09/GHSA-4g27-q2w9-m8m8/GHSA-4g27-q2w9-m8m8.json

Lines changed: 117 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,117 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-4g27-q2w9-m8m8",
4+
"modified": "2025-11-06T17:29:07Z",
5+
"published": "2023-09-06T15:30:27Z",
6+
"aliases": [
7+
"CVE-2021-36021"
8+
],
9+
"summary": "Magento affected by remote code execution vulnerability in the CMS page scheduled update feature",
10+
"details": "Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper input validation vulnerability within the CMS page scheduled update feature. An authenticated attacker with administrative privilege could leverage this vulnerability to achieve remote code execution on the system.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "magento/project-community-edition"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"last_affected": "2.0.2"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Packagist",
40+
"name": "magento/community-edition"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "0"
48+
},
49+
{
50+
"fixed": "2.3.7-p1"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Packagist",
59+
"name": "magento/community-edition"
60+
},
61+
"versions": [
62+
"2.3.7"
63+
]
64+
},
65+
{
66+
"package": {
67+
"ecosystem": "Packagist",
68+
"name": "magento/community-edition"
69+
},
70+
"ranges": [
71+
{
72+
"type": "ECOSYSTEM",
73+
"events": [
74+
{
75+
"introduced": "2.4.2-p1"
76+
},
77+
{
78+
"fixed": "2.4.2-p2"
79+
}
80+
]
81+
}
82+
]
83+
},
84+
{
85+
"package": {
86+
"ecosystem": "Packagist",
87+
"name": "magento/community-edition"
88+
},
89+
"versions": [
90+
"2.4.2"
91+
]
92+
}
93+
],
94+
"references": [
95+
{
96+
"type": "ADVISORY",
97+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36021"
98+
},
99+
{
100+
"type": "PACKAGE",
101+
"url": "https://github.com/magento/magento2"
102+
},
103+
{
104+
"type": "WEB",
105+
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
106+
}
107+
],
108+
"database_specific": {
109+
"cwe_ids": [
110+
"CWE-20"
111+
],
112+
"severity": "CRITICAL",
113+
"github_reviewed": true,
114+
"github_reviewed_at": "2025-11-06T17:29:07Z",
115+
"nvd_published_at": "2023-09-06T14:15:08Z"
116+
}
117+
}

advisories/github-reviewed/2023/09/GHSA-8cjg-f53m-8m9q/GHSA-8cjg-f53m-8m9q.json

Lines changed: 117 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,117 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-8cjg-f53m-8m9q",
4+
"modified": "2025-11-06T17:29:26Z",
5+
"published": "2023-09-06T15:30:27Z",
6+
"aliases": [
7+
"CVE-2021-36023"
8+
],
9+
"summary": "Magento XML Injection vulnerability in the Widgets Update Layout",
10+
"details": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "magento/project-community-edition"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"last_affected": "2.0.2"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Packagist",
40+
"name": "magento/community-edition"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "0"
48+
},
49+
{
50+
"fixed": "2.3.7-p1"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Packagist",
59+
"name": "magento/community-edition"
60+
},
61+
"versions": [
62+
"2.3.7"
63+
]
64+
},
65+
{
66+
"package": {
67+
"ecosystem": "Packagist",
68+
"name": "magento/community-edition"
69+
},
70+
"ranges": [
71+
{
72+
"type": "ECOSYSTEM",
73+
"events": [
74+
{
75+
"introduced": "2.4.2-p1"
76+
},
77+
{
78+
"fixed": "2.4.2-p2"
79+
}
80+
]
81+
}
82+
]
83+
},
84+
{
85+
"package": {
86+
"ecosystem": "Packagist",
87+
"name": "magento/community-edition"
88+
},
89+
"versions": [
90+
"2.4.2"
91+
]
92+
}
93+
],
94+
"references": [
95+
{
96+
"type": "ADVISORY",
97+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36023"
98+
},
99+
{
100+
"type": "PACKAGE",
101+
"url": "https://github.com/magento/magento2"
102+
},
103+
{
104+
"type": "WEB",
105+
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
106+
}
107+
],
108+
"database_specific": {
109+
"cwe_ids": [
110+
"CWE-78"
111+
],
112+
"severity": "CRITICAL",
113+
"github_reviewed": true,
114+
"github_reviewed_at": "2025-11-06T17:29:26Z",
115+
"nvd_published_at": "2023-09-06T14:15:08Z"
116+
}
117+
}

advisories/github-reviewed/2023/09/GHSA-wqr6-wv6c-p8fx/GHSA-wqr6-wv6c-p8fx.json

Lines changed: 117 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,117 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-wqr6-wv6c-p8fx",
4+
"modified": "2025-11-06T17:29:19Z",
5+
"published": "2023-09-06T15:30:27Z",
6+
"aliases": [
7+
"CVE-2021-36036"
8+
],
9+
"summary": "Magento improper access control vulnerability within Magento's Media Gallery Upload workflow",
10+
"details": "Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted file in the website gallery, an authenticated attacker with administrative privilege can gain access to delete the .htaccess file. This could result in the attacker achieving remote code execution.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "magento/project-community-edition"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"last_affected": "2.0.2"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Packagist",
40+
"name": "magento/community-edition"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "0"
48+
},
49+
{
50+
"fixed": "2.3.7-p1"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Packagist",
59+
"name": "magento/community-edition"
60+
},
61+
"versions": [
62+
"2.3.7"
63+
]
64+
},
65+
{
66+
"package": {
67+
"ecosystem": "Packagist",
68+
"name": "magento/community-edition"
69+
},
70+
"ranges": [
71+
{
72+
"type": "ECOSYSTEM",
73+
"events": [
74+
{
75+
"introduced": "2.4.2-p1"
76+
},
77+
{
78+
"fixed": "2.4.2-p2"
79+
}
80+
]
81+
}
82+
]
83+
},
84+
{
85+
"package": {
86+
"ecosystem": "Packagist",
87+
"name": "magento/community-edition"
88+
},
89+
"versions": [
90+
"2.4.2"
91+
]
92+
}
93+
],
94+
"references": [
95+
{
96+
"type": "ADVISORY",
97+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36036"
98+
},
99+
{
100+
"type": "PACKAGE",
101+
"url": "https://github.com/magento/magento2"
102+
},
103+
{
104+
"type": "WEB",
105+
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
106+
}
107+
],
108+
"database_specific": {
109+
"cwe_ids": [
110+
"CWE-284"
111+
],
112+
"severity": "CRITICAL",
113+
"github_reviewed": true,
114+
"github_reviewed_at": "2025-11-06T17:29:19Z",
115+
"nvd_published_at": "2023-09-06T14:15:09Z"
116+
}
117+
}

0 commit comments

Comments
 (0)