Magento 2.4.2 Media Gallery Upload Improper Access Delete .htaccess
CVE-2021-36036 Published on September 6, 2023
Magento Commerce Media Gallery Upload Improper Access Control Could Lead To Remote Code Execution
Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted file in the website gallery, an authenticated attacker with administrative privilege can gain access to delete the .htaccess file. This could result in the attacker achieving remote code execution.
Vulnerability Analysis
CVE-2021-36036 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2021-36036 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2021-36036
Want to know whenever a new CVE is published for Magento? stack.watch will email you.
Affected Versions
Adobe Commerce:- Before and including 2.3.7 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.