CVE-2021-21014 — Unrestricted File Upload in Magento

CWE-434 — Unrestricted File Upload4 documents4 sources

Severity

9.1CRITICALNVD

EPSS

0.5%

top 33.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Magento Magento Community-edition Adobe Magento Commerce +1 more

Timeline

PublishedFeb 11

Latest updateMay 24

Description

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages4 packages

▶NVDmagento/magento< 2.3.6+3

▶Packagistmagento/community-edition2.4.0 — 2.4.2+1

▶CVEListV5adobe/magento_commerceunspecified — 2.4.1+3

▶Packagistmagento/project-community-edition2.0.2

🔴Vulnerability Details

GHSA

Magento vulnerable to a file upload restriction bypass↗2022-05-24

▶

OSV

Magento vulnerable to a file upload restriction bypass↗2022-05-24

▶

CVEList

Magento Commerce Arbitrary Folder Empty Could Lead To Arbitrary Code Execution↗2021-02-11

▶