CVE-2021-36042

CWE-20Improper Input ValidationCWE-434Unrestricted File Upload4 documents4 sources
Severity
7.2HIGH
EPSS
4.1%
top 11.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Magento Community-editionAdobe Magento CommerceAdobe Adobe Commerce+2 more
Timeline
PublishedSep 1
Latest updateMay 24

Description

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the API File Option Upload Extension. An attacker with Admin privileges can achieve unrestricted file upload which can result in remote code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages5 packages

CVEListV5adobe/magento_commerceunspecified2.4.2+3
Packagistmagento/community-edition2.4.2-p12.4.2-p2+1
NVDadobe/adobe_commerce2.3.02.3.7+2
NVDadobe/magento_open_source2.3.02.3.7+2

Patches

Patch: helpx.adobe.comPatch: helpx.adobe.com

🔴Vulnerability Details

3
GHSA
Magento executes code via the API File Option Upload Extension2022-05-24
OSV
Magento executes code via the API File Option Upload Extension2022-05-24
CVEList
Magento Commerce API File Option Upload Extension Improper Input Validation Vulnerability Could Lead To Remote Code Execution2021-09-01
CVE-2021-36042 (HIGH CVSS 7.2) | Magento Commerce versions 2.4.2 (an | cvebase.io