CVE-2021-21025: 
PHP vulnerability analysis and mitigation

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) were identified with a critical XML injection vulnerability in the product layout updates. The vulnerability, tracked as CVE-2021-21025, was discovered and assigned on December 18, 2020, with public disclosure following in February 2021 (CVE MITRE).

The vulnerability is classified as an XML Injection (CWE-91) that affects the product layout update functionality in Magento. The severity of this vulnerability is rated as Critical with a CVSS v3.0 Base Score of 9.1, characterized by the vector string CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. Additionally, it received a CVSS v2.0 Base Score of 6.5 (Medium) with the vector (AV:N/AC:L/Au:S/C:P/I:P/A:P) (NVD).

Successful exploitation of this vulnerability could lead to arbitrary code execution on the affected system. The vulnerability affects both Magento Commerce and Open Source editions, potentially compromising the confidentiality, integrity, and availability of the system (NVD).

Adobe released security updates to address this vulnerability through their security advisory. Users are advised to update to the latest version of Magento that includes the security fix (Adobe Advisory).