PT-2021-6365 · Adobe+1 · Magento Commerce+1
Published
2021-09-01
·
Updated
2022-05-24
·
CVE-2021-36043
CVSS v2.0
8.5
High
| Vector | AV:N/AC:M/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Magento Commerce versions 2.4.2 and earlier
Magento Commerce versions 2.4.2-p1 and earlier
Magento Commerce versions 2.3.7 and earlier
Description
The issue is related to insufficient validation of incoming requests in the Magento Commerce platform, which can be exploited by a remote attacker to achieve remote code execution with admin privileges, particularly if Redis is enabled. This can occur due to a blind SSRF vulnerability in the bundled dotmailer extension.
Recommendations
For Magento Commerce versions 2.4.2 and earlier, update to a version that includes a fix for the blind SSRF vulnerability in the dotmailer extension.
For Magento Commerce versions 2.4.2-p1 and earlier, update to a version that includes a fix for the blind SSRF vulnerability in the dotmailer extension.
For Magento Commerce versions 2.3.7 and earlier, update to a version that includes a fix for the blind SSRF vulnerability in the dotmailer extension.
Fix
RCE
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Magento Commerce
Redis