CVE-2021-21014

CRITICAL

Magento <2.4.1-2.3.6 - Authenticated RCE

Title source: llm

Description

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

Exploits (1)

nomisec SUSPICIOUS 4 stars

by HoangKien1020 · poc

https://github.com/HoangKien1020/CVE-2021-21014

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://helpx.adobe.com/security/products/magento/apsb21-08.html

Scores

CVSS v3 9.1

EPSS 0.0051

EPSS Percentile 66.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (6)

magento/community-edition 0 - 2.3.6-p1Packagist

magento/magento 2.3.6 (2 CPE variants)

magento/magento 2.4.0 (4 CPE variants)

magento/magento 2.4.1 (2 CPE variants)

magento/magento < 2.3.6 (2 CPE variants)

magento/project-community-edition 0Packagist

Published Feb 11, 2021

Tracked Since Feb 18, 2026