CVE-2021-21018

Name of the Vulnerable Software and Affected Versions: Magento versions 2.4.1 and earlier Magento versions 2.4.0-p1 and earlier Magento versions 2.3.6 and earlier

Description: The issue is related to OS command injection via the scheduled operation module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation. The vulnerability is associated with the failure to neutralize special elements used in the OS command, which can be exploited by a remote attacker to execute arbitrary code.

Recommendations: For Magento versions 2.4.1 and earlier, update to a version that includes a fix for the OS command injection vulnerability in the scheduled operation module. For Magento versions 2.4.0-p1 and earlier, update to a version that includes a fix for the OS command injection vulnerability in the scheduled operation module. For Magento versions 2.3.6 and earlier, update to a version that includes a fix for the OS command injection vulnerability in the scheduled operation module. As a temporary workaround, consider restricting access to the scheduled operation module to minimize the risk of exploitation.