CVE-2021-21015

Name of the Vulnerable Software and Affected Versions Magento versions 2.4.1 and earlier Magento versions 2.4.0-p1 and earlier Magento versions 2.3.6 and earlier

Description The issue is related to an OS command injection via the customer attribute save controller. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation. The vulnerability is due to the lack of measures to neutralize special elements used in the OS command.

Recommendations For Magento versions 2.4.1 and earlier, update to a version that includes the fix for this issue. For Magento versions 2.4.0-p1 and earlier, update to a version that includes the fix for this issue. For Magento versions 2.3.6 and earlier, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the customer attribute save controller to minimize the risk of exploitation.