CVE-2021-28585
Magento Commerce improper input validation in customer customer webapi
5.3
MEDIUM
CVSS 3.1
EPSS 0.35%
Description
Magento versions 2.4.2 (and earlier), 2.4.1 (and earlier) and 2.3.6 (and earlier) are affected by an Improper input validation vulnerability in the New customer WebAPI.Successful exploitation could allow an attacker to send unsolicited spam e-mails.
How to fix CVE-2021-28585
To remediate CVE-2021-28585, upgrade the affected package to a fixed version below.
- —upgrade to 2.3.6 or later
- —upgrade to 2.4.2-p1 or later
- —no fix listed
Is CVE-2021-28585 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2.3.6, >= 2.4.1, < 2.4.2, >= 2.4.2, < 2.4.3
- >= 2.4.0, < 2.4.2-p1
- from 0, <= 2.0.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |