PT-2021-14333 · Magento · Magento Upward-Php+1

Mmansoor-Magento

Published

2021-02-25

Updated

2021-03-02

CVE-2021-21064

CVSS v3.1

4.9

Medium

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Magento UPWARD-php versions 1.1.4 and earlier Magento UPWARD Connector versions 1.1.2 and earlier

Description: The issue is related to a Path traversal vulnerability due to the upload feature. An attacker could potentially exploit this vulnerability to upload a malicious YAML file that can contain instructions which allow reading arbitrary files from the remote server. Access to the admin console is required for successful exploitation.

Recommendations: For Magento UPWARD-php versions 1.1.4 and earlier, consider disabling the upload feature until a patch is available. For Magento UPWARD Connector versions 1.1.2 and earlier, restrict access to the upload functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2021-21064

GHSA-P4PW-HPJX-5685

Affected Products

Magento Upward Connector

Magento Upward-Php

PT-2021-14333 · Magento · Magento Upward-Php+1

CVE-2021-21064

Weakness Enumeration

Related Identifiers

Affected Products

References · 7