CVE-2021-28566

Description

Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Information Disclosure vulnerability when uploading a modified png file to a product image. Successful exploitation could lead to the disclosure of document root path by an unauthenticated attacker. Access to the admin console is required for successful exploitation.

CvssV3 impact

Version

3.1

VectorString

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

AttackVector

NETWORK

AttackComplexity

LOW

PrivilegesRequired

HIGH

UserInteraction

NONE

Scope

UNCHANGED

ConfidentialityImpact

LOW

IntegrityImpact

NONE

AvailabilityImpact

NONE

BaseScore

2.7

BaseSeverity

LOW

CvssV2 impact

AccessComplexity

LOW

ConfidentialityImpact

PARTIAL

AvailabilityImpact

NONE

IntegrityImpact

NONE

BaseScore

4

VectorString

AV:N/AC:L/Au:S/C:P/I:N/A:N

Version

2.0

AccessVector

NETWORK

Authentication

SINGLE