CVE-2021-21018
Magnto Commerce Unauthorized Data Modification Could Lead To Arbitrary Code Execution
9.1
CRITICAL
CVSS 3.1
EPSS 6.9%
Description
Magento versions 2.4.1 (and earlier), 2.4.0 (and earlier) and 2.3.6 (and earlier) are vulnerable to OS command injection via the scheduled operation module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.
How to fix CVE-2021-21018
To remediate CVE-2021-21018, upgrade the affected package to a fixed version below.
- —upgrade to 2.3.6 or later
- —upgrade to 2.3.6 or later
Is CVE-2021-21018 being exploited?
Moderate — EPSS is 6.9%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (2)
- from 0, < 2.3.6, >= 2.4.0, < 2.4.2
- from 0, < 2.3.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |