CVE-2021-36042

CRITICAL

Adobe Commerce/Magento Open Source <=2.4.2-p1 - Admin File Upload Code Execution

Title source: manual

Description

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the API File Option Upload Extension. An attacker with Admin privileges can achieve unrestricted file upload which can result in remote code execution.

References (1)

Core 1

Core References

Patch, Vendor Advisory x_refsource_misc

https://helpx.adobe.com/security/products/magento/apsb21-64.html

Scores

CVSS v3 9.1

EPSS 0.0247

EPSS Percentile 82.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-20 CWE-434

Status published

Products (6)

adobe/adobe_commerce 2.4.2 p1

adobe/adobe_commerce 2.3.0 - 2.3.7

adobe/magento_open_source 2.4.2 p1

adobe/magento_open_source 2.3.0 - 2.3.7

magento/community-edition Packagist

magento/project-community-edition 0Packagist

Published Sep 01, 2021

Tracked Since Feb 18, 2026