{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45951?format=json","vulnerability_id":"VCID-nn21-hf8r-ykfd","summary":"Magento XML Injection vulnerability in the Widgets Update Layout\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.","aliases":[{"alias":"CVE-2021-36023"},{"alias":"GHSA-8cjg-f53m-8m9q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66777?format=json","purl":"pkg:composer/magento/community-edition@2.3.7-p1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-y93w-2qcc-wqg8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.3.7-p1"},{"url":"http://public2.vulnerablecode.io/api/packages/66778?format=json","purl":"pkg:composer/magento/community-edition@2.4.2-p2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.2-p2"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66776?format=json","purl":"pkg:composer/magento/community-edition@2.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-36ve-7wxt-z7fz"},{"vulnerability":"VCID-b5hn-f1qk-z7cu"},{"vulnerability":"VCID-nn21-hf8r-ykfd"},{"vulnerability":"VCID-y93w-2qcc-wqg8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.3.7"},{"url":"http://public2.vulnerablecode.io/api/packages/58956?format=json","purl":"pkg:composer/magento/community-edition@2.4.2-p1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-36ve-7wxt-z7fz"},{"vulnerability":"VCID-b5hn-f1qk-z7cu"},{"vulnerability":"VCID-nn21-hf8r-ykfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.2-p1"},{"url":"http://public2.vulnerablecode.io/api/packages/58955?format=json","purl":"pkg:composer/magento/community-edition@2.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1k4q-2ttb-13hd"},{"vulnerability":"VCID-36ve-7wxt-z7fz"},{"vulnerability":"VCID-b5hn-f1qk-z7cu"},{"vulnerability":"VCID-nn21-hf8r-ykfd"},{"vulnerability":"VCID-yvcy-4e8m-p3b8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.2"},{"url":"http://public2.vulnerablecode.io/api/packages/64410?format=json","purl":"pkg:composer/magento/project-community-edition@2.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1jsp-392b-2fgb"},{"vulnerability":"VCID-2h52-3pt6-dfcw"},{"vulnerability":"VCID-2vsw-t8k2-4bfm"},{"vulnerability":"VCID-2z3f-wtw6-yydf"},{"vulnerability":"VCID-36ve-7wxt-z7fz"},{"vulnerability":"VCID-3et4-3zad-1qfn"},{"vulnerability":"VCID-3zcy-b3th-ukhd"},{"vulnerability":"VCID-4dae-vty8-b7hk"},{"vulnerability":"VCID-525q-afzj-tkcp"},{"vulnerability":"VCID-5gxr-xksz-5ydb"},{"vulnerability":"VCID-6p6q-ctya-q3bv"},{"vulnerability":"VCID-6t9w-cnkz-s3c3"},{"vulnerability":"VCID-6tx4-wexr-fkbb"},{"vulnerability":"VCID-7hrm-jtbx-sqgm"},{"vulnerability":"VCID-7s74-rdkp-vyaf"},{"vulnerability":"VCID-7s7e-adr6-h3dc"},{"vulnerability":"VCID-8hx4-r8bb-n7ge"},{"vulnerability":"VCID-8ky6-w2nk-9bds"},{"vulnerability":"VCID-8msu-s38a-p7e3"},{"vulnerability":"VCID-8shb-t5zp-rqbu"},{"vulnerability":"VCID-9cc9-npdc-8bac"},{"vulnerability":"VCID-9vrt-uccb-myev"},{"vulnerability":"VCID-a8gs-ervm-e3hm"},{"vulnerability":"VCID-a9b6-tenb-afdw"},{"vulnerability":"VCID-agtm-nkhp-dkdn"},{"vulnerability":"VCID-az2w-5xhy-5fe4"},{"vulnerability":"VCID-b3cn-pjp3-4yhm"},{"vulnerability":"VCID-b4jg-dj1a-9qd5"},{"vulnerability":"VCID-b5hn-f1qk-z7cu"},{"vulnerability":"VCID-b9ry-u6qy-j7cc"},{"vulnerability":"VCID-cafy-5dd8-rudj"},{"vulnerability":"VCID-cc8x-6es1-8kc5"},{"vulnerability":"VCID-ccx1-qacj-2qev"},{"vulnerability":"VCID-cgwk-hn4t-n7c1"},{"vulnerability":"VCID-cm2a-1yc5-v3cy"},{"vulnerability":"VCID-cqjn-3z6n-sff1"},{"vulnerability":"VCID-d2ab-j8bf-e7dx"},{"vulnerability":"VCID-d6mk-hg8h-7qbc"},{"vulnerability":"VCID-dj5a-35gt-u7dn"},{"vulnerability":"VCID-dpgz-dacm-sqg6"},{"vulnerability":"VCID-dx43-89w9-a7dg"},{"vulnerability":"VCID-e9zx-zy9y-2fcp"},{"vulnerability":"VCID-egy6-nku7-zyap"},{"vulnerability":"VCID-eygc-ra9u-gyej"},{"vulnerability":"VCID-fz5y-um7w-63f4"},{"vulnerability":"VCID-fzam-yuyg-qyd5"},{"vulnerability":"VCID-fzm9-e6bg-r7aw"},{"vulnerability":"VCID-gedj-39p5-ubd6"},{"vulnerability":"VCID-hbau-7tvg-cygz"},{"vulnerability":"VCID-hh8a-mgkk-3yb5"},{"vulnerability":"VCID-j124-q39m-mkby"},{"vulnerability":"VCID-j5vp-2jrx-ukf4"},{"vulnerability":"VCID-j6ss-8f4e-e7g2"},{"vulnerability":"VCID-jhd5-tqph-3ufu"},{"vulnerability":"VCID-jr49-4fs3-8qcp"},{"vulnerability":"VCID-kezx-5nw5-hfen"},{"vulnerability":"VCID-kxnm-y19k-mqg2"},{"vulnerability":"VCID-m5z8-hz81-j7b7"},{"vulnerability":"VCID-m83v-51cy-uqar"},{"vulnerability":"VCID-md7v-w5aq-t7h1"},{"vulnerability":"VCID-mhvf-2keh-2qar"},{"vulnerability":"VCID-mjb6-7au8-5fdx"},{"vulnerability":"VCID-msac-ptqf-pyg1"},{"vulnerability":"VCID-mtr5-suag-2bdj"},{"vulnerability":"VCID-nn21-hf8r-ykfd"},{"vulnerability":"VCID-p222-28c1-vfhy"},{"vulnerability":"VCID-qfw5-3tdu-x7g4"},{"vulnerability":"VCID-qj4x-u7gx-9uf1"},{"vulnerability":"VCID-qp7s-amch-v3cd"},{"vulnerability":"VCID-qrwc-3gsb-zkfy"},{"vulnerability":"VCID-qzqd-271b-ybfj"},{"vulnerability":"VCID-r4bw-w4t9-23ek"},{"vulnerability":"VCID-r7nh-arcj-8fb3"},{"vulnerability":"VCID-rbjk-3gcs-2qb5"},{"vulnerability":"VCID-re84-qg3k-3ub3"},{"vulnerability":"VCID-rf6p-ct86-5bgz"},{"vulnerability":"VCID-ruru-fwmn-5kes"},{"vulnerability":"VCID-s4bp-kzfu-8qfy"},{"vulnerability":"VCID-s5e2-d6n8-kkbr"},{"vulnerability":"VCID-scg7-ugdn-53b9"},{"vulnerability":"VCID-tc3m-4bkg-qkcf"},{"vulnerability":"VCID-te3b-exz5-zke1"},{"vulnerability":"VCID-th7y-aj51-mbaj"},{"vulnerability":"VCID-tvz9-8s4d-gbg6"},{"vulnerability":"VCID-tzug-ckkn-dyft"},{"vulnerability":"VCID-upcj-z3c1-ubcf"},{"vulnerability":"VCID-w3zd-fezc-nuhd"},{"vulnerability":"VCID-wjfe-wh5k-1qft"},{"vulnerability":"VCID-ws6y-k3tx-r3gb"},{"vulnerability":"VCID-wzu6-rbsv-mkde"},{"vulnerability":"VCID-x46d-a16g-nkg9"},{"vulnerability":"VCID-xsq8-ztqh-ubb8"},{"vulnerability":"VCID-y4r1-yr69-uuf6"},{"vulnerability":"VCID-y7x4-664r-3fbk"},{"vulnerability":"VCID-y93w-2qcc-wqg8"},{"vulnerability":"VCID-yuvf-e7hk-kqf9"},{"vulnerability":"VCID-yyq6-dvyx-3bb9"},{"vulnerability":"VCID-zt9b-9sjx-7qb4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/magento/project-community-edition@2.0.2"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-36023","reference_id":"","reference_type":"","scores":[{"value":"0.1628","scoring_system":"epss","scoring_elements":"0.9495","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-36023"},{"reference_url":"https://github.com/magento/magento2","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2"},{"reference_url":"https://helpx.adobe.com/security/products/magento/apsb21-64.html","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://helpx.adobe.com/security/products/magento/apsb21-64.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36023","reference_id":"CVE-2021-36023","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36023"},{"reference_url":"https://github.com/advisories/GHSA-8cjg-f53m-8m9q","reference_id":"GHSA-8cjg-f53m-8m9q","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-8cjg-f53m-8m9q"}],"weaknesses":[{"cwe_id":78,"name":"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","description":"The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":"9.0 - 10.0","exploitability":"0.5","weighted_severity":"9.0","risk_score":4.5,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nn21-hf8r-ykfd"}