PT-2021-6369 · Adobe · Magento Commerce

Published

2021-08-11

Updated

2022-05-24

CVE-2021-36042

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) Magento Commerce version 2.3.7 (and earlier)

Description The issue is caused by improper input validation in the API File Option Upload Extension. An attacker with Admin privileges can exploit this to achieve unrestricted file upload, potentially resulting in remote code execution.

Recommendations For Magento Commerce versions 2.4.2 (and earlier) and 2.4.2-p1 (and earlier), update to a version that fixes the improper input validation vulnerability in the API File Option Upload Extension. For Magento Commerce version 2.3.7 (and earlier), update to a version that fixes the improper input validation vulnerability in the API File Option Upload Extension. As a temporary workaround, consider restricting access to the API File Option Upload Extension until a patch is available.

Fix

RCE

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434CWE-20

Related Identifiers

BDU:2022-01395

CVE-2021-36042

GHSA-6CWV-WJ7V-73XP

Affected Products

Magento Commerce

PT-2021-6369 · Adobe · Magento Commerce

CVE-2021-36042

Weakness Enumeration

Related Identifiers

Affected Products

References · 7