Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the checkout module. Successful exploitation could lead to sensitive information disclosure.

Security Updates Available for Magento | APSB21-08

Bulletin ID

Date Published

Priority

ASPB21-08

February 09, 2021      

2

Magento has released updates for Magento Commerce and Magento Open Source editions. These updates resolve vulnerabilities  rated important and critical. Successful exploitation could lead to arbitrary code execution.    

**Product**

**Version**

**Platform**

  
Magento Commerce   

2.4.1 and earlier versions    

All  

2.4.0-p1 and earlier versions    

All

2.3.6 and earlier versions   

All  

Magento Open Source 

2.4.1 and earlier versions  

All

2.4.0-p1 and earlier versions  

All

2.3.6 and earlier versions   

All  

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product

Updated Version

Platform

Priority Rating

Release Notes

Magento Commerce   

2.4.2  

All  

2  

2.4.x release notes

2.3.x release notes  

2.4.1-p1  

All  

2  

2.3.6-p1

All  

2  

Magento Open Source   

2.4.2  

All

2

2.4.1-p1  

All

2

2.3.6-p1

All  

2  

Vulnerability Category

Vulnerability Impact

Severity

Pre-authentication?

Admin privileges required?

Magento Bug ID

CVE numbers

Insecure Direct Object Reference (IDOR)  

Unauthorized access to restricted resources  

Important   

No  

No  

PRODSECBUG-2812  

CVE-2021-21012  

Insecure Direct Object Reference (IDOR)  

Unauthorized access to restricted resources  

Important   

No  

No  

PRODSECBUG-2815  

CVE-2021-21013

File Upload Allow List Bypass  

Arbitrary code execution   

Critical  

No  

Yes  

PRODSECBUG-2820  

CVE-2021-21014  

Security bypass  

Arbitrary code execution   

Critical  

No  

Yes  

PRODSECBUG-2830  

CVE-2021-21015  

Security bypass  

Arbitrary code execution   

Critical  

No  

Yes  

PRODSECBUG-2835  

CVE-2021-21016  

Command injection  

Arbitrary code execution   

Critical  

No  

Yes  

PRODSECBUG-2845  

CVE-2021-21018  

XML injection  

Arbitrary code execution   

Critical  

No  

Yes  

PRODSECBUG-2847  

CVE-2021-21019  

Access control bypass  

Unauthorized access to restricted resources  

Important   

No  

No  

PRODSECBUG-2849  

CVE-2021-21020  

Insecure Direct Object Reference (IDOR)  

Unauthorized access to restricted resources  

Important   

Yes  

No  

PRODSECBUG-2863  

CVE-2021-21022  

Cross-site scripting (Stored)  

Arbitrary JavaScript execution in the browser  

Important   

No  

Yes  

PRODSECBUG-2893  

CVE-2021-21023  

Blind SQL injection  

Unauthorized access to restricted resources  

Important   

No  

Yes  

PRODSECBUG-2896  

CVE-2021-21024  

Security bypass  

Arbitrary code execution   

Critical  

No  

Yes  

PRODSECBUG-2900  

CVE-2021-21025  

Improper Authorization  

Unauthorized access to restricted resources  

Important   

No  

Yes  

PRODSECBUG-2902  

CVE-2021-21026  

Cross-site request forgery  

Unauthorized modification of customer metadata  

Moderate  

No  

No  

PRODSECBUG-2903  

CVE-2021-21027  

Cross-site scripting (reflected)  

Arbitrary JavaScript execution in the browser  

Important   

Yes  

No  

PRODSECBUG-2907  

CVE-2021-21029  

Cross-site scripting (Stored)

Arbitrary JavaScript execution in the browser  

Critical  

Yes  

No  

PRODSECBUG-2912  

CVE-2021-21030  

Insufficient Invalidation of User Session  

Unauthorized access to restricted resources  

Important   

No  

No  

PRODSECBUG-2914  

CVE-2021-21031  

Insufficient Invalidation of User Session  

Unauthorized access to restricted resources  

Important   

No  

No  

MC-36608  

CVE-2021-21032  

Note:

Pre-authentication:  The vulnerability is exploitable without credentials.   

Admin privileges required:  The vulnerability is only exploitable by an attacker with administrative privileges.  

Additional technical descriptions of the CVEs referenced in this document will be made available on MITRE and NVD sites.

Dependency

Vulnerability Impact

Affected Versions

Angular  

Prototype Pollution  

2.4.2, 2.4.1-p1, 2.3.6-p1  

Adobe would like to thank the following individuals for reporting the relevant issues and for working with Adobe to help protect our customers:   

*   Malerisch (CVE-2021-21012)
*   Niels Pijpers (CVE-2021-21013)
*   Blaklis (CVE-2021-21014, CVE-2021-21018, CVE-2021-21030)
*   Kien Hoang (hoangkien1020) (CVE-2021-21014)
*   Edgar Boda-Majer of Bugscale (CVE-2021-21015, CVE-2021-21016, CVE-2021-21022) 
*   Kien Hoang (CVE-2021-21020)
*   bobbytabl35\_ (CVE-2021-21023)
*   Wohlie (CVE-2021-21024)
*   Peter O'Callaghan (CVE-2021-21025)
*   Kiên Ka Lư (CVE-2021-21026)
*   Lachlan Davidson (CVE-2021-21027)
*   Natsasit Jirathammanuwat (Office Thailand) working with SEC Consult Vulnerability Lab (CVE-2021-21029)
*   Anas (CVE-2021-21031)

February 09, 2021: Updated acknowledgement details about CVE-2021-21014.

CVE-2021-21012: Adobe Security Bulletin

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the customer API module. Successful exploitation could lead to sensitive information disclosure and update arbitrary information on another user's account.

CVE-2021-21013: Adobe Security Bulletin

The Elementor Contact Form DB plugin before 1.6 for WordPress allows CSRF via backend admin pages.

CVE-2021-3133: Changeset 2454670 – WordPress Plugin Repository

The BW Database Interface allows an attacker with low privileges to execute any crafted database queries, exposing the backend database. An attacker can include their own SQL commands which the database will execute without properly sanitizing the untrusted data leading to SQL injection vulnerability which can fully compromise the affected SAP system.

CVE-2021-21465

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-36183: Block one more gadget type (org.docx4j.org.apache:xalan-interpretive, CVE-2020-36183) · Issue #3003 · FasterXML/jackson-databind

There's a flaw in openjpeg's t2 encoder in versions prior to 2.4.0. An attacker who is able to provide crafted input to be processed by openjpeg could cause a null pointer dereference. The highest impact of this flaw is to application availability.

Description Guilherme de Almeida Suckevicz 2020-12-14 16:38:44 UTC

A flaw was found in OpenJPEG. Specially crafted file can lead to an out-of-bounds read in opj\_tgt\_reset function in lib/openjp2/tgt.c.

Reference:
https://github.com/uclouvain/openjpeg/issues/1294

Comment 1 Todd Cullum 2020-12-15 01:30:07 UTC

Acknowledgments:

Name: zodf0055980 (SQLab NCTU Taiwan)

Comment 2 Todd Cullum 2020-12-15 01:35:05 UTC

Created mingw-openjpeg2 tracking bugs for this issue:

Affects: fedora-all \[bug 1907682\]


Created openjpeg tracking bugs for this issue:

Affects: fedora-all \[bug 1907680\]


Created openjpeg2 tracking bugs for this issue:

Affects: epel-7 \[bug 1907679\]
Affects: fedora-all \[bug 1907681\]

Comment 3 Todd Cullum 2020-12-15 01:41:47 UTC

Upstream commit: https://github.com/uclouvain/openjpeg/pull/1296/commits/fbd30b064f8f9607d500437b6fedc41431fd6cdc

Comment 6 Product Security DevOps Team 2021-11-09 17:52:58 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-27842

Comment 7 errata-xmlrpc 2021-11-09 17:56:29 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4251 https://access.redhat.com/errata/RHSA-2021:4251

CVE-2020-27842: null pointer dereference in opj_tgt_reset function in lib/openjp2/tgt.c

A flaw was found in OpenJPEG in versions prior to 2.4.0. This flaw allows an attacker to provide specially crafted input to the conversion or encoding functionality, causing an out-of-bounds read. The highest threat from this vulnerability is system availability.

Description Guilherme de Almeida Suckevicz 2020-12-14 16:42:17 UTC

A flaw was found in OpenJPEG. Specially crafted input file can lead to an out-of-bounds read in opj\_t2\_encode\_packet function in openjp2/t2.c.

Reference:
https://github.com/uclouvain/openjpeg/issues/1297

Comment 1 Todd Cullum 2020-12-15 01:46:49 UTC

Created mingw-openjpeg2 tracking bugs for this issue:

Affects: fedora-all \[bug 1907688\]


Created openjpeg tracking bugs for this issue:

Affects: fedora-all \[bug 1907687\]


Created openjpeg2 tracking bugs for this issue:

Affects: epel-7 \[bug 1907685\]
Affects: fedora-all \[bug 1907686\]

Comment 2 Todd Cullum 2020-12-15 01:51:12 UTC

Acknowledgments:

Name: zodf0055980 (SQLab NCTU Taiwan)

Comment 6 Product Security DevOps Team 2021-11-09 17:53:29 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-27843

Comment 7 errata-xmlrpc 2021-11-09 17:56:33 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4251 https://access.redhat.com/errata/RHSA-2021:4251

CVE-2020-27843: out-of-bounds read in opj_t2_encode_packet function in openjp2/t2.c

An exploitable local privilege elevation vulnerability exists in the file system permissions of the Mobile-911 Server V2.5 install directory. Depending on the vector chosen, an attacker can overwrite the service executable and execute arbitrary code with System privileges or replace other files within the installation folder that could lead to local privilege escalation.

**Summary**

An exploitable local privilege elevation vulnerability exists in the file system permissions of the Mobile-911 Server V2.5 install directory. Depending on the vector chosen, an attacker can overwrite the service executable and execute arbitrary code with System privileges or replace other files within the installation folder that could lead to local privilege escalation.

**Tested Versions**

Win-911 Mobile Server V2.5

**Product URLs**

https://www.win911.com/products/mobile/

**CVSSv3 Score**

9.3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-276 - Incorrect Default Permissions

**Details**

WIN-911 Mobile delivers critical SCADA/OT, HMI and control networks alerts to mobile devices in real time. It supports various methods of alert configuration, routing and escalation designed to ensure safety of the environment.

By default, Mobile-911 Server V2.5 is installed in “c:\\Program Files (x86)\\WIN-911 Software\\Mobile-911 Server” directory and it allows “Everyone” group to have “Change” privilege over certain files in the directory which are executed with SYSTEM authority. This allows any user on the system to modify arbitrary files in the install directory resulting in privilege escalation.

    c:\program files (x86)\win-911 software\mobile-911 server\Mobile911.Server.exe 
                                                                                   Everyone:C
    																			   BUILTIN\Administrators:F
    																			   NT AUTHORITY\SYSTEM:(ID)F
    																			   BUILTIN\Administrators:(ID)F
    																			   BUILTIN\Users:(ID)R
    																			   APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R
    																			   APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APP PACKAGES:(ID)R
    

In addition, library files loaded by the service can also be replaced to gain privileged access into the primary Mobile911.Server service executed as Local System:

    c:\Program Files (x86)\WIN-911 Software\Mobile-911 Server\Mobile911.Common.dll 
                                                                                   Everyone:C
    																			   BUILTIN\Administrators:F
    																			   NT AUTHORITY\SYSTEM:(ID)F
    																			   BUILTIN\Administrators:(ID)F
    																			   BUILTIN\Users:(ID)R
    																			   APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R
    																			   APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APP PACKAGES:(ID)R
                                                                                   
    c:\Program Files (x86)\WIN-911 Software\Mobile-911 Server\System.Data.SQLite.dll 
                                                                                     Everyone:C
    																				 BUILTIN\Administrators:F
    																				 NT AUTHORITY\SYSTEM:(ID)F
    																				 BUILTIN\Administrators:(ID)F
    																				 BUILTIN\Users:(ID)R
    																				 APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R
    																				 APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APP PACKAGES:(ID)R
                                                                                     
    c:\Program Files (x86)\WIN-911 Software\Mobile-911 Server\x64\SQLite.Interop.dll 
                                                                                     Everyone:C
    																				 BUILTIN\Administrators:F
    																				 Everyone:(ID)C
    																				 BUILTIN\Administrators:(ID)F
    																				 NT AUTHORITY\SYSTEM:(ID)F
    																				 BUILTIN\Users:(ID)R
    																				 APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R
    																				 APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APP PACKAGES:(ID)R
                                                                                     
    c:\Program Files (x86)\WIN-911 Software\Mobile-911 Server\x86\SQLite.Interop.dll 
                                                                                     Everyone:(ID)C
    																				 BUILTIN\Administrators:(ID)F
    																				 NT AUTHORITY\SYSTEM:(ID)F
    																				 BUILTIN\Users:(ID)R
    																				 APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R
    

**Credit**

Discovered by Yuri Kramarz of Cisco Talos.

https://talosintelligence.com/vulnerability\_reports/

**Timeline**

2020-09-01 - Vendor Disclosure  
2020-09-02 - Vendor confirmed support ticket issued  
2020-11-04 - 60 day follow up  
2020-12-09 - 90 day follow up  
2021-01-04 - Public Release

Discovered by Yuri Kramarz of Cisco Talos.

CVE-2020-13541: TALOS-2020-1151 || Cisco Talos Intelligence Group

An issue was discovered in the rusqlite crate before 0.23.0 for Rust. Memory safety can be violated via the repr(Rust) type.

History ⋅ Edit

**RUSTSEC-2020-0014**

Various memory safety issues

Issued

April 23, 2020

Package

rusqlite (crates.io)

Type

Vulnerability

Aliases

*   CVE-2020-35866
*   CVE-2020-35867
*   CVE-2020-35868
*   CVE-2020-35869
*   CVE-2020-35870
*   CVE-2020-35871
*   CVE-2020-35872
*   CVE-2020-35873

Details

https://github.com/rusqlite/rusqlite/releases/tag/0.23.0

Patched

*   `>=0.23.0`

Affected Functions

Version

`rusqlite::Connection::get_aux`

*   `<0.23.0`

`rusqlite::Connection::set_aux`

*   `<0.23.0`

`rusqlite::session::Session::attach`

*   `<0.23.0`

`rusqlite::session::Session::diff`

*   `<0.23.0`

`rusqlite::trace::log`

*   `<0.23.0`

`rusqlite::vtab::create_module`

*   `<0.23.0`

**Description**

Several memory safety issues have been uncovered in an audit of rusqlite.

See https://github.com/rusqlite/rusqlite/releases/tag/0.23.0 for a complete list.

Tag

#sql