CVE-2021-33351 – This is a cross-site scripting (XSS) vulnerabil... (How to Fix)

Q: What is the severity of CVE-2021-33351?

CVE-2021-33351 has a CVSS score of 9.0 (CRITICAL). This is a cross-site scripting (XSS) vulnerability in the Wyomind Help Desk Magento 2 extension that allows attackers to inject malicious scripts into ticket messages. When exploited, it enables privilege escalation by executing arbitrary code in the context of other users' sessions. Affected users are those running Magento 2 with the vulnerable Wyomind Help Desk extension.

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in the Wyomind Help Desk Magento 2 extension that allows attackers to inject malicious scripts into ticket messages. When exploited, it enables privilege escalation by executing arbitrary code in the context of other users' sessions. Affected users are those running Magento 2 with the vulnerable Wyomind Help Desk extension.

💻 Affected Systems

Products:

Wyomind Help Desk Magento 2 extension

Versions: v1.3.6 and earlier

Operating Systems: Any OS running Magento 2

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Magento 2 installation with the vulnerable extension enabled.

📦 What is this software?

Help Desk by Wyomind

View all CVEs affecting Help Desk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative privileges, compromise the entire Magento store, steal customer data, and install backdoors.

🟠

Likely Case

Attackers escalate privileges to gain unauthorized access to administrative functions, potentially modifying orders or accessing sensitive data.

🟢

If Mitigated

With proper input validation and output encoding, the attack would be prevented, maintaining normal system functionality.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to create or modify ticket messages, typically requiring at least low-privilege user access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.3.7

Vendor Advisory: https://www.wyomind.com/magento2/helpdesk-magento-2.html

Restart Required: No

Instructions:

1. Log into Magento admin panel. 2. Navigate to System > Web Setup Wizard > Extension Manager. 3. Search for Wyomind Help Desk. 4. Update to version 1.3.7 or later. 5. Clear Magento cache via System > Cache Management.

🔧 Temporary Workarounds

Disable Help Desk Extension

linux

Temporarily disable the vulnerable extension until patching is possible.

php bin/magento module:disable Wyomind_Helpdesk
php bin/magento setup:upgrade
php bin/magento cache:flush

Implement Input Validation

all

Add custom input validation to sanitize ticket message fields.

Edit extension files to add HTML entity encoding for user input in ticket processing

🧯 If You Can't Patch

Restrict user permissions to minimize who can create or edit tickets.
Implement web application firewall (WAF) rules to block XSS payloads in ticket submissions.

🔍 How to Verify

Check if Vulnerable:

Check the extension version in Magento admin under Stores > Configuration > Advanced > Advanced. Look for Wyomind_Helpdesk module version.

Check Version:

php bin/magento module:status | grep Wyomind_Helpdesk

Verify Fix Applied:

Confirm the extension version is 1.3.7 or higher and test ticket creation with XSS payloads to ensure they are sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual ticket creation/modification patterns
JavaScript or HTML payloads in ticket message fields in application logs

Network Indicators:

HTTP POST requests to ticket endpoints containing script tags or JavaScript code

SIEM Query:

source="magento_logs" AND ("ticket" AND ("<script>" OR "javascript:" OR "onerror="))

📊 Metadata

CVE ID: CVE-2021-33351

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-79

Published: March 8, 2023

Last Updated: March 5, 2025

🔗 References

https://www.exploit-db.com/exploits/50113 Exploit,Third Party Advisory,VDB Entry
https://www.wyomind.com/magento2/helpdesk-magento-2.html Product
https://www.exploit-db.com/exploits/50113 Exploit,Third Party Advisory,VDB Entry
https://www.wyomind.com/magento2/helpdesk-magento-2.html Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33351, you might also want to check these: