Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.
{"githubexploit": [{"lastseen": "2021-12-15T15:36:04", "description": "# PoC (Limited)\n# CVE-2021-21014\nMagento versions 2.4.1 (and ear...", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-02-13T06:16:39", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Magento", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21014"], "modified": "2021-12-15T14:41:28", "id": "21ADEAD6-0E66-5C1C-BF4D-81C88E0BDA76", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}], "adobe": [{"lastseen": "2021-09-30T17:39:48", "description": "Magento has released updates for Magento Commerce and Magento Open Source editions. These updates resolve vulnerabilities rated [important]() and [critical](). Successful exploitation could lead to arbitrary code execution. \n", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-02-09T00:00:00", "type": "adobe", "title": "APSB21-08 Security\u202fupdates available\u202ffor Magento", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21012", "CVE-2021-21013", "CVE-2021-21014", "CVE-2021-21015", "CVE-2021-21016", "CVE-2021-21018", "CVE-2021-21019", "CVE-2021-21020", "CVE-2021-21022", "CVE-2021-21023", "CVE-2021-21024", "CVE-2021-21025", "CVE-2021-21026", "CVE-2021-21027", "CVE-2021-21029", "CVE-2021-21030", "CVE-2021-21031", "CVE-2021-21032"], "modified": "2021-02-09T00:00:00", "id": "APSB21-08", "href": "https://helpx.adobe.com/security/products/magento/apsb21-08.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-02-09T20:02:46", "description": "Adobe is warning of a critical vulnerability that has been exploited in the wild to target Adobe Reader users on Windows.\n\nThe vulnerability (CVE-2021-21017) has been exploited in \u201climited attacks,\u201d according to [Adobe\u2019s Tuesday advisory](<https://helpx.adobe.com/security/products/acrobat/apsb21-09.html>), part of its regularly scheduled February updates. The flaw in question is a critical-severity [heap-based buffer overflow](<https://threatpost.com/google-chrome-zero-day-windows-mac/163688/>) flaw.\n\nThis type of [buffer-overflow error](<https://cwe.mitre.org/data/definitions/122.html>) occurs when the region of a process\u2019 memory used to store dynamic variables (the heap) can be overwhelmed. If a buffer-overflow occurs, it typically causes the affected program to behave incorrectly. With this flaw in particular, it can be exploited to execute arbitrary code on affected systems.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cAdobe has released security updates for Adobe Acrobat and Reader for Windows and macOS,\u201d said Adobe on Tuesday. \u201cThese updates address multiple critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.\u201d\n\n## **Adobe Flaw: Security Updates**\n\nAcrobat is Adobe\u2019s popular family of application software and web services used to view, create and manage files. CVE-2021-21017, which was anonymously reported, affects the following Adobe Acrobat Reader versions:\n\n * Acrobat Reader DC versions 2020.013.20074 and earlier for Windows and macOS\n * Acrobat Reader 2020 versions 2020.001.30018 and earlier for Windows and macOS\n * Acrobat Reader 2017 versions 2017.011.30188 and earlier for Windows and macOS\n\nThe flaw has been patched in the following versions:\n\n * Acrobat Reader DC version 2021.001.20135\n * Acrobat Reader 2020 version 2020.001.30020\n * Acrobat Reader 2017 version 2017.011.30190\n\nThese patches are a priority level 1, which according to Adobe means they resolve \u201cvulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform.\u201d\n\n\u201cAdobe recommends administrators install the update as soon as possible. (for example, within 72 hours),\u201d [according to its update](<https://helpx.adobe.com/security/severity-ratings.html>).\n\n## **Other Adobe Acrobat and Reader Critical Flaws**\n\nIncluding this exploited flaw, Adobe patched flaws tied to 23 CVEs overall in Acrobat and Reader \u2013 including 17 critical-severity CVEs.\n\nMost of these critical flaws could allow for arbitrary code execution, including a path traversal glitch (CVE-2021-21037), integer overflow error (CVE-2021-21036) and out-of-bounds write issues (CVE-2021-21044, CVE-2021-21038). Also patched were buffer overflow flaws (CVE-2021-21058, CVE-2021-21059, CVE-2021-21062, CVE-2021-21063) and use-after-free errors (CVE-2021-21041, CVE-2021-21040, CVE-2021-21039, CVE-2021-21035, CVE-2021-21033, CVE-2021-21028 and CVE-2021-21021).\n\nA critical improper access control flaw (CVE-2021-21045) was also patched that allowed for privilege execution.\n\n## **Critical Magento Security Updates**\n\nIn addition to Acrobat and Reader security updates, Adobe also issued patches for critical vulnerabilities in Magento, its e-commerce platform.\n\nSeven critical flaws were patched as part of this security update. All these flaws, if exploited, could lead to arbitrary code execution. These flaws include three security bypass issues (CVE-2021-21015, CVE-2021-21016 and CVE-2021-21025), a command injection flaw (CVE-2021-21018), an XML injection vulnerability (CVE-2021-21019), a file upload allow list bypass (CVE-2021-21014) and a cross-site scripting flaw (CVE-2021-21030).\n\nAffected are Magento Commerce and Magento open source, 2.4.1 and earlier versions (with a fix in 2.4.2); 2.4.0-p1 and earlier versions (with a fix in 2.4.1-p1) and 2.3.6 and earlier versions (with a fix in 2.3.6-p1).\n\nThe update is a priority level 2, which according to Adobe \u201cresolves vulnerabilities in a product that has historically been at elevated risk.\u201d\n\nMagento would be categorized as an \u201celevated risk\u201d because it is commonly targeted by attackers like the [Magecart threat group](<https://threatpost.com/magecart-blue-bear-attack/151585/>) to target e-commerce stores for cyberattacks like web skimming. However, there are currently no known exploits for these flaws, said Adobe.\n\n## **Other Security Flaws in Adobe Products**\n\nAdobe on Tuesday also patched critical-severity flaws in Adobe Photoshop (CVE-2021-21049, CVE-2021-21050, CVE-2021-21048, CVE-2021-21051 and CVE-2021-21047), Adobe Animate (CVE-2021-21052) and Adobe Illustrator (CVE-2021-21053, CVE-2021-21054).\n\nHowever these patches came with a priority level 3 ranking, which means that they resolve vulnerabilities in a product that \u201chas historically not been a target for attackers.\u201d\n\nFor these flaws, \u201cAdobe recommends administrators install the update at their discretion,\u201d according to the security update.\n\nAdobe\u2019s February fixes come on the heels of a busy January security update, [when the company patched](<https://threatpost.com/adobe-critical-flaws-flash-player/162958/>) seven critical vulnerabilities. The impact of the most serious of these flaws ranged from arbitrary code execution to sensitive information disclosure.\n\n**_Is your business an easy mark? _**_Save your spot for \u201c15 Cybersecurity Gaffes SMBs Make,\u201d **a **_**[_FREE Threatpost webinar_](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>) **_**on Feb. 24 at 2 p.m. ET.** Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. __[Register here](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)__ for the Wed., Feb. 24 LIVE webinar. _\n", "cvss3": {}, "published": "2021-02-09T19:40:47", "type": "threatpost", "title": "Attackers Exploit Critical Adobe Bug, Target Windows", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21014", "CVE-2021-21015", "CVE-2021-21016", "CVE-2021-21017", "CVE-2021-21018", "CVE-2021-21019", "CVE-2021-21021", "CVE-2021-21025", "CVE-2021-21028", "CVE-2021-21030", "CVE-2021-21033", "CVE-2021-21035", "CVE-2021-21036", "CVE-2021-21037", "CVE-2021-21038", "CVE-2021-21039", "CVE-2021-21040", "CVE-2021-21041", "CVE-2021-21044", "CVE-2021-21045", "CVE-2021-21047", "CVE-2021-21048", "CVE-2021-21049", "CVE-2021-21050", "CVE-2021-21051", "CVE-2021-21052", "CVE-2021-21053", "CVE-2021-21054", "CVE-2021-21058", "CVE-2021-21059", "CVE-2021-21062", "CVE-2021-21063"], "modified": "2021-02-09T19:40:47", "id": "THREATPOST:F006B56821C572012C6CBF003C78C596", "href": "https://threatpost.com/critical-adobe-windows-flaw/163789/", "cvss": {"score": 0.0, "vector": "NONE"}}]}
CVE-2021-21014
