Magento UPWARD-php version 1.1.4 (and earlier) is affected by a Path traversal vulnerability in Magento UPWARD Connector version 1.1.2 (and earlier) due to the upload feature. An attacker could potentially exploit this vulnerability to upload a malicious YAML file that can contain instructions which allows reading arbitrary files from the remote server. Access to the admin console is required for successful exploitation.
References
| Link | Resource |
|---|---|
| https://github.com/magento/upward-php/security | Third Party Advisory |
| https://github.com/magento/upward-php/security/advisories/GHSA-p4pw-hpjx-5685 | Third Party Advisory |
| https://github.com/magento/upward-php/security | Third Party Advisory |
| https://github.com/magento/upward-php/security/advisories/GHSA-p4pw-hpjx-5685 | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 05:47
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/magento/upward-php/security - Third Party Advisory | |
| References | () https://github.com/magento/upward-php/security/advisories/GHSA-p4pw-hpjx-5685 - Third Party Advisory |
07 Nov 2023, 03:29
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : 4.0
v3 : unknown |
Information
Published : 2021-02-25 14:15
Updated : 2024-11-21 05:47
NVD link : CVE-2021-21064
Mitre link : CVE-2021-21064
CVE.ORG link : CVE-2021-21064
JSON object : View
Products Affected
magento
- upward_connector
- upward_php
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')