7.2

CVE-2021-36036

Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted file in the website gallery, an authenticated attacker with administrative privilege can gain access to delete the .htaccess file. This could result in the attacker achieving remote code execution.

Data is provided by the National Vulnerability Database (NVD)
MagentoMagento SwEditioncommerce Version < 2.3.7
MagentoMagento SwEditionopen_source Version < 2.3.7
MagentoMagento SwEditioncommerce Version >= 2.4.0 < 2.4.2
MagentoMagento SwEditionopen_source Version >= 2.4.0 < 2.4.2
MagentoMagento Version2.3.7 Update- SwEditioncommerce
MagentoMagento Version2.3.7 Update- SwEditionopen_source
MagentoMagento Version2.4.2 Update- SwEditioncommerce
MagentoMagento Version2.4.2 Update- SwEditionopen_source
MagentoMagento Version2.4.2 Updatep1 SwEditioncommerce
MagentoMagento Version2.4.2 Updatep1 SwEditionopen_source
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 1.18% 0.779
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
psirt@adobe.com 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.