CVE-2021-36036 HIGH

CVE-2021-36036: Magento Commerce Media Gallery Upload Improper Access Control Could Lead To Remote Code Execution

Vendor Adobe

Product Adobe Commerce

Weakness CWE-284

Published September 6, 2023

Last update February 27, 2025

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

Description

Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted file in the website gallery, an authenticated attacker with administrative privilege can gain access to delete the .htaccess file. This could result in the attacker achieving remote code execution.

Key dates

Disclosure timeline

September 6, 2023 CVE published

February 27, 2025 Record updated