Critical severityNVD Advisory· Published Sep 6, 2023· Updated Feb 27, 2025
Magento Commerce Media Gallery Upload Improper Access Control Could Lead To Remote Code Execution
CVE-2021-36036
Description
Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted file in the website gallery, an authenticated attacker with administrative privilege can gain access to delete the .htaccess file. This could result in the attacker achieving remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | < 2.3.7-p1 | 2.3.7-p1 |
magento/community-editionPackagist | >= 2.4.2-p1, < 2.4.2-p2 | 2.4.2-p2 |
Affected products
4- osv-coords3 versionspkg:bitnami/magentopkg:composer/magento/community-editionpkg:composer/magento/project-community-edition
< 2.3.7+ 2 more
- (no CPE)range: < 2.3.7
- (no CPE)range: < 2.3.7-p1
- (no CPE)range: <= 2.0.2
- Range: 0
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-wqr6-wv6c-p8fxghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb21-64.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2021-36036ghsaADVISORY
News mentions
0No linked articles in our index yet.