PT-2021-6294 · Adobe · Magento Commerce
Published
2021-08-11
·
Updated
2022-05-24
·
CVE-2021-36025
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Magento Commerce versions 2.4.2 and earlier
Magento Commerce versions 2.4.2-p1 and earlier
Magento Commerce versions 2.3.7 and earlier
Description
The issue is related to improper input validation when saving a customer's details with a specially crafted file. An authenticated attacker with admin privileges can exploit this to achieve remote code execution. The vulnerability exists due to insufficient input validation, allowing a remote attacker to execute arbitrary code.
Recommendations
For Magento Commerce versions 2.4.2 and earlier, update to a version that includes the necessary input validation fixes.
For Magento Commerce versions 2.4.2-p1 and earlier, update to a version that includes the necessary input validation fixes.
For Magento Commerce versions 2.3.7 and earlier, update to a version that includes the necessary input validation fixes.
As a temporary workaround, consider restricting access to the customer details saving functionality to minimize the risk of exploitation.
Fix
RCE
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Magento Commerce