CVE-2021-36042

State: PUBLISHED · Published: 2021-09-01 · Updated: 2024-09-17 · Assigner: adobe

Description

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the API File Option Upload Extension. An attacker with Admin privileges can achieve unrestricted file upload which can result in remote code execution.

CWE

CWE-20 — Improper Input Validation (CWE-20)

Affected

Adobe / Magento Commerce — v=unspecified ≤2.4.2 [affected]; v=unspecified ≤2.4.2-p1 [affected]; v=unspecified ≤2.3.7 [affected]; v=unspecified ≤None [affected]

CVSS

3.1 score=9.1 severity=CRITICAL CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

References

https://helpx.adobe.com/security/products/magento/apsb21-64.html x_refsource_MISC

Source

cvelistV5-main/cves/2021/36xxx/CVE-2021-36042.json