CVE-2021-28556: 
PHP vulnerability analysis and mitigation

A DOM-based Cross-Site Scripting (XSS) vulnerability was discovered in Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier), and 2.3.6-p1 (and earlier). The vulnerability specifically affects the mage-messages cookies functionality (NVD, Adobe Advisory).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 6.9 (Medium) from Adobe Systems with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N, while NIST assigned a score of 4.8 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

Successful exploitation of this vulnerability could lead to arbitrary JavaScript execution by an unauthenticated attacker. The vulnerability affects both confidentiality and integrity of the system, though user interaction is required for successful exploitation (NVD).

Adobe has addressed this vulnerability in subsequent releases after versions 2.4.2, 2.4.1-p1, and 2.3.6-p1. Users are advised to update to the latest version of Magento to mitigate this vulnerability (Adobe Advisory).

The vulnerability was discovered and reported by security researchers Charybdis, Rutger Rademaker, and Igor Wulff from Youwe (Adobe Advisory).