Lucene search

[email protected]NVD:CVE-2021-28584

HistoryJun 28, 2021 - 2:15 p.m.

CVE-2021-28584

2021-06-2814:15:11

CWE-22

[email protected]

web.nvd.nist.gov

magento

path traversal

store creation

arbitrary file system write

authenticated attacker

admin console

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

59.0%

JSON

Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Path Traversal vulnerability when creating a store with child theme.Successful exploitation could lead to arbitrary file system write by an authenticated attacker. Access to the admin console is required for successful exploitation.

Affected configurations

Nvd

Node

magentomagentoRange<2.3.6commerce

magentomagentoRange<2.3.6open_source

magentomagentoMatch2.3.6-commerce

magentomagentoMatch2.3.6-open_source

magentomagentoMatch2.3.6p1commerce

magentomagentoMatch2.3.6p1open_source

magentomagentoMatch2.4.1-commerce

magentomagentoMatch2.4.1-open_source

magentomagentoMatch2.4.1p1commerce

magentomagentoMatch2.4.1p1open_source

magentomagentoMatch2.4.2commerce

magentomagentoMatch2.4.2open_source

VendorProductVersionCPE
magentomagento*cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*
magentomagento*cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*
magentomagento2.3.6cpe:2.3:a:magento:magento:2.3.6:-:*:*:commerce:*:*:*
magentomagento2.3.6cpe:2.3:a:magento:magento:2.3.6:-:*:*:open_source:*:*:*
magentomagento2.3.6cpe:2.3:a:magento:magento:2.3.6:p1:*:*:commerce:*:*:*
magentomagento2.3.6cpe:2.3:a:magento:magento:2.3.6:p1:*:*:open_source:*:*:*
magentomagento2.4.1cpe:2.3:a:magento:magento:2.4.1:-:*:*:commerce:*:*:*
magentomagento2.4.1cpe:2.3:a:magento:magento:2.4.1:-:*:*:open_source:*:*:*
magentomagento2.4.1cpe:2.3:a:magento:magento:2.4.1:p1:*:*:commerce:*:*:*
magentomagento2.4.1cpe:2.3:a:magento:magento:2.4.1:p1:*:*:open_source:*:*:*

Vendor	Product	Version	CPE
magento	magento	*	cpe:2.3:a:magento:magento:::::commerce:::*
magento	magento	*	cpe:2.3:a:magento:magento:::::open_source:::*
magento	magento	2.3.6	cpe:2.3:a:magento:magento:2.3.6:-:::commerce:::*
magento	magento	2.3.6	cpe:2.3:a:magento:magento:2.3.6:-:::open_source:::*
magento	magento	2.3.6	cpe:2.3:a:magento:magento:2.3.6:p1:::commerce:::*
magento	magento	2.3.6	cpe:2.3:a:magento:magento:2.3.6:p1:::open_source:::*
magento	magento	2.4.1	cpe:2.3:a:magento:magento:2.4.1:-:::commerce:::*
magento	magento	2.4.1	cpe:2.3:a:magento:magento:2.4.1:-:::open_source:::*
magento	magento	2.4.1	cpe:2.3:a:magento:magento:2.4.1:p1:::commerce:::*
magento	magento	2.4.1	cpe:2.3:a:magento:magento:2.4.1:p1:::open_source:::*

Rows per page:

1-10 of 121

References

helpx.adobe.com/security/products/magento/apsb21-30.html

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

59.0%

JSON

Related for NVD:CVE-2021-28584

osv3 prion1 github1 cvelist1 cve1 adobe1