CVE-2021-21016 – magento/community-edition

Package

Manager: composer
Name: magento/community-edition
Vulnerable Version: >=0 <2.3.6-p1 || >=2.4.0 <2.4.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.04238 pctl0.88339

Details

Magento OS command injection via the WebAPI Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to OS command injection via the WebAPI. Successful exploitation could lead to remote code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

Metadata

Created: 2022-05-24T17:41:54Z
Modified: 2025-02-10T20:40:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-792f-c8mp-2cr5/GHSA-792f-c8mp-2cr5.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-792f-c8mp-2cr5
Finding: F404
Auto approve: 1