---
Magento Commerce is a popular e-commerce platform, used by thousands of online retailers globally due to its robust, scalable, and easy-to-use nature. However, recently reported security vulnerability CVE-2021-36023 has exposed a critical issue in Magento Commerce, where attackers can compromise online stores by exploiting an XML Injection vulnerability in the Widgets Update Layout and execute remote code.
The versions affected are Magento Commerce 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier). This vulnerability has raised alarm bells in the cybersecurity community, and online retailers on Magento Commerce should be aware of its implications and how to mitigate it.
Vulnerability Details
---
CVE-2021-36023 is an XML Injection vulnerability in the Widgets Update Layout, which exists due to incorrect input validation. Attackers can manipulate the XML payload to inject a malicious script, allowing them to execute arbitrary code remotely on the hosting server. To exploit this vulnerability, an attacker requires admin access, which can be achieved through spear-phishing, social engineering, or using leaked login credentials.
A specially-crafted script can be inserted into the XML layout update via the Admin Panel under Content->Design->Widgets->"Select Design Updates". The malicious XML code looks like this:
<referenceContainer name="content">
<block class="Magento\Framework\View\Element\Template" name="example_block" template="Magento_Theme::example.phtml">
<arguments>
<argument name="custom_var" xsi:type="string"><![CDATA[<script>/*Malicious JavaScript Code Here*/</script>]]></argument>
</arguments>
</block>
</referenceContainer>
When a user interacts with a widget that triggers this custom layout update, the injected code is executed on the server-side, which would then lead to remote code execution. Such attacks can lead to unauthorized access, data theft, and even complete server control in some cases.
Original References
- The official advisory by Magento: https://helpx.adobe.com/security/products/magento/apsb21-29.html
- The CVE details at NIST National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2021-36023
Mitigation and Patching
---
Magento Commerce has released security patches for the affected versions to fix this vulnerability. They have strongly advised users to upgrade their software to the latest versions, as listed below:
- Magento Commerce 2.3.7-p1: https://magento.com/tech-resources/download#download224
- Magento Commerce 2.4.2-p2: https://magento.com/tech-resources/download#download226
- Magento Open Source 2.3.7-p1: https://magento.com/tech-resources/download#download2245
- Magento Open Source 2.4.2-p2: https://magento.com/tech-resources/download#download225
Store owners should make it a priority to upgrade their platforms to the latest versions and keep a close watch on any unusual activities. It is also crucial to practice safe browsing habits, create strong and unique passwords, and periodically update and review user access privileges to ensure comprehensive security.
Conclusion
---
The CVE-2021-36023 vulnerability poses a significant threat to both Magento Commerce store owners and their customers. Timely patching and security measures should be implemented to secure the online stores and protect sensitive data. Additionally, staying up-to-date with the latest security advisories and following cybersecurity best practices can help prevent such attacks and enhance the security posture of any online platform.
Timeline
Published on: 09/06/2023 14:15:00 UTC