← back
CVE-2021-36036

Magento Commerce Media Gallery Upload Improper Access Control Could Lead To Remote Code Execution

CVSS 7.2 HIGHEPSS 2.1%CWE-284
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.2EPSS 2.1%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
06 Sep 2023Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted file in the website gallery, an authenticated attacker with administrative privilege can gain access to delete the .htaccess file. This could result in the attacker achieving remote code execution.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products
Adobe · Adobe Commerce

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://helpx.adobe.com/security/products/magento/apsb21-64.html