Vulnerability Description
Magento UPWARD-php version 1.1.4 (and earlier) is affected by a Path traversal vulnerability in Magento UPWARD Connector version 1.1.2 (and earlier) due to the upload feature. An attacker could potentially exploit this vulnerability to upload a malicious YAML file that can contain instructions which allows reading arbitrary files from the remote server. Access to the admin console is required for successful exploitation.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Magento | Upward Connector | <= 1.1.2 |
| Magento | Upward Php | <= 1.1.4 |
Related Weaknesses (CWE)
References
- https://github.com/magento/upward-php/securityThird Party Advisory
- https://github.com/magento/upward-php/security/advisories/GHSA-p4pw-hpjx-5685Third Party Advisory
- https://github.com/magento/upward-php/securityThird Party Advisory
- https://github.com/magento/upward-php/security/advisories/GHSA-p4pw-hpjx-5685Third Party Advisory
FAQ
What is CVE-2021-21064?
CVE-2021-21064 is a vulnerability with a CVSS score of 4.9 (MEDIUM). Magento UPWARD-php version 1.1.4 (and earlier) is affected by a Path traversal vulnerability in Magento UPWARD Connector version 1.1.2 (and earlier) due to the upload feature. An attacker could potent...
How severe is CVE-2021-21064?
CVE-2021-21064 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-21064?
Check the references section above for vendor advisories and patch information. Affected products include: Magento Upward Connector, Magento Upward Php.