PT-2021-2182 · Adobe · Magento
Published
2021-02-09
·
Updated
2024-03-06
·
CVE-2021-21014
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Magento versions 2.4.1 and earlier
Magento versions 2.4.0-p1 and earlier
Magento versions 2.3.6 and earlier
Description
The issue is related to a file upload restriction bypass, which could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation. The vulnerability is associated with unrestricted file uploads of dangerous types, allowing a remote attacker to execute arbitrary code.
Recommendations
For Magento versions 2.4.1 and earlier, update to a version that includes the fix for this issue.
For Magento versions 2.4.0-p1 and earlier, update to a version that includes the fix for this issue.
For Magento versions 2.3.6 and earlier, update to a version that includes the fix for this issue.
As a temporary workaround, consider restricting file uploads to minimize the risk of exploitation.
Exploit
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Magento