PT-2021-3425 · Adobe · Magento
Published
2021-05-11
·
Updated
2024-03-06
·
CVE-2021-28566
CVSS v2.0
4.0
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Magento versions 2.4.2 and earlier
Magento versions 2.4.1-p1 and earlier
Magento versions 2.3.6-p1 and earlier
Description
The issue is related to insufficient input validation, which could allow a remote attacker to access confidential information. Successful exploitation of this issue could lead to the disclosure of the document root path by an unauthenticated attacker when a modified png file is uploaded to a product image. Access to the admin console is required for successful exploitation.
Recommendations
For Magento versions 2.4.2 and earlier, update to a version that includes the fix for this issue.
For Magento versions 2.4.1-p1 and earlier, update to a version that includes the fix for this issue.
For Magento versions 2.3.6-p1 and earlier, update to a version that includes the fix for this issue.
As a temporary workaround, consider restricting access to the product image upload feature until a patch is available.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Magento