CVE-2021-21014 PoC — Magento Commerce Arbitrary Folder Empty Could Lead To Arbitrary Code Execution

Source

https://github.com/HoangKien1020/CVE-2021-21014

Associated Vulnerability

Title:Magento Commerce Arbitrary Folder Empty Could Lead To Arbitrary Code Execution (CVE-2021-21014)
Description:Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

Description

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker.

Readme

# PoC (Limited)
# CVE-2021-21014
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker.
## Affected version: <= Magento 2.4.1
## User requirement: Admin account with only Media gallery (+-) Products permission
## Web server: Apache 2
## Result: RCE
# References
https://nvd.nist.gov/vuln/detail/CVE-2021-21014

https://helpx.adobe.com/security/products/magento/apsb21-08.html

File Snapshot


 [4.0K]  /data/pocs/6033a34fa283b3717be3d4c865ea6cb7097e9730
└── [ 551]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!