Description

Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Information Disclosure vulnerability when uploading a modified png file to a product image. Successful exploitation could lead to the disclosure of document root path by an unauthenticated attacker. Access to the admin console is required for successful exploitation.

Remediation

References

CVE-2021-28566

Related Vulnerabilities

Ruby on Rails Improper Input Validation Vulnerability (CVE-2016-2098)

WordPress Plugin Copify Cross-Site Request Forgery (1.3.0)

WordPress Plugin Chronoforms Cross-Site Request Forgery (7.0.9)

WordPress Plugin Social Media Widget by Acurax Multiple Unspecified Vulnerabilities (3.2.3)

Piwigo Improper Access Control Vulnerability (CVE-2016-10084)

Severity

Low

Classification

CVE-2021-28566 CWE-200 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities