CVE-2021-21030

HIGH8.1EPSS 6.3%

Magento stored cross-site scripting (XSS) in the customer address upload feature

Published: 5/24/2022Modified: 2/10/2025

Also known as:GHSA-6988-g89m-27vfBIT-magento-2021-21030

Description

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting (XSS) in the customer address upload feature. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Exploitation of this issue requires user interaction.

Affected packages (3)

Bitnami/magentofrom 0, < 2.3.6, >= 2.4.0, < 2.4.1
Packagist/magento/community-editionfrom 0, < 2.3.6
Packagist/magento/project-community-editionfrom 0, <= 2.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-21030
PATCHhttps://github.com/magento/magento2
WEBhttps://helpx.adobe.com/security/products/magento/apsb21-08.html