CVE-2021-36020
📋 TL;DR
This CVE describes an XML injection vulnerability in Magento Commerce's 'City' field that allows unauthenticated attackers to execute arbitrary code remotely. It affects Magento Commerce versions 2.4.2 and earlier, 2.4.2-p1 and earlier, and 2.3.7 and earlier. Attackers can exploit this by submitting specially crafted XML payloads through the vulnerable field.
💻 Affected Systems
- Magento Commerce
- Magento Open Source
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the Magento server, allowing data theft, malware deployment, and lateral movement within the network.
Likely Case
Remote code execution leading to data exfiltration, website defacement, or installation of backdoors for persistent access.
If Mitigated
Attack blocked at WAF level or prevented by input validation, resulting in no impact.
🎯 Exploit Status
Exploitation requires minimal technical skill as the vulnerability is in a user-accessible field and public exploit details exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.3, 2.4.2-p2, 2.3.7-p1
Vendor Advisory: https://helpx.adobe.com/security/products/magento/apsb21-64.html
Restart Required: Yes
Instructions:
1. Backup your Magento installation and database. 2. Update to Magento 2.4.3, 2.4.2-p2, or 2.3.7-p1. 3. Clear cache: bin/magento cache:clean. 4. Restart web server services.
🔧 Temporary Workarounds
Input Validation for City Field
allImplement server-side validation to sanitize XML special characters in the City field input.
Implement custom validation in Magento's checkout or address validation modules
WAF Rule for XML Injection
allConfigure web application firewall to block XML payloads in form fields.
Add WAF rule to detect and block patterns like <