=2.4.0, <2.4.2-p2

Q: How to fix?

Upgrade magento/community-edition to version 2.3.7-p1, 2.4.2-p2 or higher.

Threat Intelligence

9.65% (93^rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about XML Injection vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-PHP-MAGENTOCOMMUNITYEDITION-13863531
published9 Nov 2025
disclosed6 Sept 2023
creditBlaklis

Report a new vulnerability Found a mistake?

Introduced: 6 Sep 2023

CVE-2021-36023 (opens in a new tab) CWE-91 (opens in a new tab)

How to fix?

Upgrade magento/community-edition to version 2.3.7-p1, 2.4.2-p2 or higher.

Overview

magento/community-edition is a modern cloud eCommerce platform.

Affected versions of this package are vulnerable to XML Injection via the widgets update layout. An attacker with administrative privileges can execute arbitrary commands by submitting specially crafted XML data.

References

Adobe Security Bulletin

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
High
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
High

Confidentiality (SC)
High
Integrity (SI)
None
Availability (SA)
Low