Description

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an OS command injection via the customer attribute save controller. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

Remediation

References

CVE-2021-21015

Related Vulnerabilities

Jboss EAP Uncontrolled Resource Consumption Vulnerability (CVE-2017-12174)

WebLogic CVE-2021-2108 Vulnerability (CVE-2021-2108)

WordPress Plugin Book appointment online Cross-Site Scripting (1.38)

MediaWiki Improper Access Control Vulnerability (CVE-2012-4379)

WordPress Plugin WordPress Meta Data and Taxonomies Filter (MDTF) PHP Object Injection (1.2.2)

Severity

High

Classification

CVE-2021-21015 CWE-138 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities