https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2021-21029_Adobe_Magento_Commerce_XSS%E6%BC%8F%E6%B4%9ECVE-2021-21029 Adobe Magento Commerce XSS漏洞 - Revision history2026-04-19T15:20:03ZRevision history for this page on the wikiMediaWiki 1.35.1https://pwnwiki.com/index.php?title=CVE-2021-21029_Adobe_Magento_Commerce_XSS%E6%BC%8F%E6%B4%9E&diff=3634&oldid=prevPwnwiki: Created page with "<pre> SEC Consult Vulnerability Lab Security Advisory < 20210210-0 > ======================================================================= title: Reflected Cro..."2021-05-30T02:58:47Z<p>Created page with "<pre> SEC Consult Vulnerability Lab Security Advisory < 20210210-0 > ======================================================================= title: Reflected Cro..."</p>
<p><b>New page</b></p><div><pre><br />
SEC Consult Vulnerability Lab Security Advisory < 20210210-0 ><br />
=======================================================================<br />
title: Reflected Cross-Site Scripting (XSS)<br />
product: Adobe Magento Commerce<br />
vulnerable version: < 2.4.2<br />
fixed version: 2.4.2<br />
CVE number: CVE-2021-21029<br />
impact: Medium<br />
homepage: https://magento.com/<br />
found: 2020-06-29<br />
by: Natsasit Jirathammanuwat (Office Thailand)<br />
SEC Consult Vulnerability Lab<br />
<br />
An integrated part of SEC Consult, an Atos company<br />
Europe | Asia | North America<br />
<br />
https://www.sec-consult.com<br />
<br />
=======================================================================<br />
<br />
Vendor description:<br />
-------------------<br />
"Magento Commerce, offers a one-of-a-kind eCommerce solution with<br />
enterprise power, unlimited scalability, and open-source flexibility<br />
for B2C and B2B experiences. Magento allows you to create unique,<br />
full-lifecycle customer experiences proven to generate more sales.<br />
No matter what your company’s size or goals — omnichannel, global<br />
expansion, mobile — Magento delivers everything you need for growth<br />
in an increasingly competitive market."<br />
<br />
Source: https://magento.com/products<br />
<br />
<br />
Business recommendation:<br />
------------------------<br />
Update to the latest version of Adobe Magento Commerce.<br />
<br />
An in-depth security analysis performed by security professionals is highly<br />
advised, as the software may be affected from further security issues.<br />
<br />
<br />
Vulnerability overview/description:<br />
-----------------------------------<br />
1) Reflected Cross-Site Scripting (XSS) (CVE-2021-21029)<br />
This vulnerability allows an unauthenticated user to inject malicious<br />
client side script into the URL and send to the victim. The browser may<br />
redirect the victim (e.g. admin) to the frontend page when visiting the URL,<br />
the script will be executed after the victim visits the admin panel again.<br />
<br />
This vulnerability has two different scenarios:<br />
1. Security configuration "Add Secret Key to URLs" is enabled (default).<br />
- Admin panel path is required.<br />
- Key value (secret hash) in the URL is required.<br />
- User interaction is required (navigate back to the admin panel).<br />
<br />
2. Security configuration "Add Secret Key to URLs" is disabled.<br />
- Admin panel path is required.<br />
- User interaction is required (navigate back to the admin panel).<br />
<br />
<br />
Proof of concept:<br />
-----------------<br />
1) Reflected Cross-Site Scripting (XSS) (CVE-2021-21029)<br />
The "file" parameter is vulnerable to reflected cross-site scripting<br />
vulnerability. By sending the XSS payload in the Base64 encoded format<br />
in the URL as follows:<br />
<br />
1. Security configuration "Add Secret Key to URLs" is enabled (default).<br />
URL format:<br />
https://{baseURL}/{adminPath}/admin/system_design_theme/downloadCss/theme_id/{themeID}/file/{base64encoded_xss_payload}/key/{secret_hash}<br />
Example URL:<br />
https://127.0.0.1/index.php/admin/admin/system_design_theme/downloadCss/theme_id/1/file/PHNjcmlwdD5hbGVydCgnWFNTIGJ5IFNFQyBDb25zdWx0Jyk8L3NjcmlwdD4%3D/key/0f5d20e8559bb6f45e4840ceb6231870f3a8fe122698b37c32ceabbb33595813<br />
<br />
2. Security configuration "Add Secret Key to URLs" is disabled.<br />
URL format:<br />
https://{baseURL}/{adminPath}/admin/system_design_theme/downloadCss/theme_id/{themeID}/file/{base64encoded_xss_payload}/<br />
Example URL:<br />
https://127.0.0.1/index.php/admin/admin/system_design_theme/downloadCss/theme_id/1/file/PHNjcmlwdD5hbGVydCgnWFNTIGJ5IFNFQyBDb25zdWx0Jyk8L3NjcmlwdD4%3D/<br />
<br />
<br />
Vulnerable / tested versions:<br />
-----------------------------<br />
Magento2 version 2.3.5-p1 has been tested, which was the latest version<br />
available at the time of the test. Previous versions may also be affected.<br />
Later versions until the patched version v2.4.2 are affected as well.<br />
<br />
<br />
Vendor contact timeline:<br />
------------------------<br />
2020-07-09 | Contacting vendor through https://hackerone.com/magento.<br />
2020-07-09 | The report is flagged as out-of-scope in hackerone.<br />
2020-08-13 | Contacting vendor and requesting encryption key through psirt@adobe.com.<br />
2020-08-13 | Vendor provides PGP encryption key.<br />
2020-08-14 | Sending encrypted advisory to the vendor.<br />
2020-09-09 | Asking vendor for a status update.<br />
2020-09-10 | Vendor is still investigating the issue.<br />
2020-09-28 | Asking vendor for a status update.<br />
2020-10-02 | Vendor is still investigating the issue.<br />
2020-11-24 | Asking vendor for a status update.<br />
2020-11-24 | Vendor is planing to fix the issue in next release.<br />
2021-02-02 | Asking vendor for a status update and the release date.<br />
2021-02-02 | Vendor is planing to release a security update on February 9th.<br />
2021-02-10 | Coordinated release of security advisory.<br />
<br />
<br />
Solution:<br />
---------<br />
Update to the latest available version v2.4.2 of Magento2 from the vendor's download<br />
page:<br />
https://magento.com/tech-resources/download<br />
<br />
Vendor security advisory:<br />
https://helpx.adobe.com/security/products/magento/apsb21-08.html<br />
<br />
<br />
Workaround:<br />
-----------<br />
None<br />
<br />
<br />
Advisory URL:<br />
-------------<br />
https://sec-consult.com/vulnerability-lab/<br />
<br />
<br />
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />
<br />
SEC Consult Vulnerability Lab<br />
<br />
SEC Consult, an Atos company<br />
Europe | Asia | North America<br />
<br />
About SEC Consult Vulnerability Lab<br />
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />
Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />
field of network and application security to stay ahead of the attacker. The<br />
SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />
the evaluation of new offensive and defensive technologies for our customers.<br />
Hence our customers obtain the most current information about vulnerabilities<br />
and valid recommendation about the risk profile of new technologies.<br />
<br />
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />
Interested to work with the experts of SEC Consult?<br />
Send us your application https://sec-consult.com/career/<br />
<br />
Interested in improving your cyber security with the experts of SEC Consult?<br />
Contact our local offices https://sec-consult.com/contact/<br />
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />
<br />
Mail: research at sec-consult dot com<br />
Web: https://www.sec-consult.com<br />
Blog: http://blog.sec-consult.com<br />
Twitter: https://twitter.com/sec_consult<br />
<br />
EOF N. Jirathammanuwat / @2021<br />
<br />
</pre></div>Pwnwiki