CVE-2021-28584

Name of the Vulnerable Software and Affected Versions Magento versions 2.4.2 and earlier Magento versions 2.4.1-p1 and earlier Magento versions 2.3.6-p1 and earlier

Description The issue is related to incorrect restriction of the path name to a directory with limited access. Exploitation of this issue may allow a remote attacker to write arbitrary files to the device's file system. Successful exploitation requires access to the admin console and can be carried out by an authenticated attacker. The vulnerability can be exploited when creating a store with a child theme, potentially leading to arbitrary file system write.

Recommendations For Magento versions 2.4.2 and earlier, update to a version that includes a fix for this issue. For Magento versions 2.4.1-p1 and earlier, update to a version that includes a fix for this issue. For Magento versions 2.3.6-p1 and earlier, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to the admin console to minimize the risk of exploitation.