CVE-2021-21064 — Path Traversal in Adobe Magento Commerce

CWE-22 — Path Traversal2 documents2 sources

Severity

4.9MEDIUMNVD

EPSS

0.7%

top 28.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Adobe Magento Commerce Magento Upward Connector Magento Upward PHP

Timeline

PublishedFeb 25

Description

Magento UPWARD-php version 1.1.4 (and earlier) is affected by a Path traversal vulnerability in Magento UPWARD Connector version 1.1.2 (and earlier) due to the upload feature. An attacker could potentially exploit this vulnerability to upload a malicious YAML file that can contain instructions which allows reading arbitrary files from the remote server. Access to the admin console is required for successful exploitation.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages3 packages

▶NVDmagento/upward_connector1.1.2

▶NVDmagento/upward_php1.1.4

▶CVEListV5adobe/magento_commerceunspecified — 1.1.4+1

🔴Vulnerability Details

CVEList

Magento UPWARD-php Path traversal vulnerability via UPWARD Connector↗2021-02-25

▶