CVE-2021-36043

Severity CVSS v4.0:
Pending analysis
Type:
CWE-918 Server-Side Request Forgery (SSRF)
Publication date:
01/09/2021
Last modified:
08/09/2021

Description

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a blind SSRF vulnerability in the bundled dotmailer extension. An attacker with admin privileges could abuse this to achieve remote code execution should Redis be enabled.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:* 2.3.0 (including) 2.3.7 (including)
cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:* 2.4.0 (including) 2.4.2 (including)
cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:* 2.3.0 (including) 2.3.7 (including)
cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:* 2.4.0 (including) 2.4.2 (including)
cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*


References to Advisories, Solutions, and Tools