CVE-2021-36036

Name of the Vulnerable Software and Affected Versions Magento versions 2.4.2 and earlier Magento versions 2.4.2-p1 and earlier Magento versions 2.3.7 and earlier

Description The issue is related to improper access control within Magento's Media Gallery Upload workflow. An authenticated attacker with administrative privilege can store a specially crafted file in the website gallery to gain access and delete the .htaccess file, potentially achieving remote code execution. The vulnerability can be exploited by a remote attacker to execute arbitrary code.

Recommendations For Magento versions 2.4.2 and earlier, update to a version that includes the fix for the improper access control vulnerability. For Magento versions 2.4.2-p1 and earlier, update to a version that includes the fix for the improper access control vulnerability. For Magento versions 2.3.7 and earlier, update to a version that includes the fix for the improper access control vulnerability. As a temporary workaround, consider restricting access to the Media Gallery Upload workflow to minimize the risk of exploitation.