CVE-2021-21018 – magento/community-edition

Package

Manager: composer
Name: magento/community-edition
Vulnerable Version: >=0 <2.3.6 || >=2.4.0 <2.4.1-p1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.0805 pctl0.91788

Details

Magento OS Command Injection Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to OS command injection via the scheduled operation module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

Metadata

Created: 2022-05-24T17:41:55Z
Modified: 2024-01-10T19:00:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rv48-v862-mp92/GHSA-rv48-v862-mp92.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-rv48-v862-mp92
Finding: F404
Auto approve: 1