Skip to main content

Adobe Commerce CVE-2021-36031

HIGH
Path Traversal (CWE-22)
2021-09-01 psirt@adobe.com
7.2
CVSS 3.1 · Vendor: adobe
Share

Severity by source

Vendor (adobe) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (adobe) · only source for this CVE.

CVSS VectorVendor: adobe

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Sep 01, 2021 - 15:15 cve.org
HIGH 7.2

DescriptionCVE.org

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a Path Traversal vulnerability via the theme[preview_image] parameter. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution.

AnalysisAI

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a Path Traversal vulnerability via the theme[preview_image] parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a Path Traversal vulnerability via the theme[preview_image] parameter. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution. Affected products include: Adobe Adobe Commerce, Adobe Magento Open Source.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

CVE-2026-48358 CRITICAL
10.0 Jul 14

Remote code execution in Adobe Commerce (Magento) allows attackers to run arbitrary code in the context of the current u

CVE-2021-36020 CRITICAL
9.8 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Inj

CVE-2026-48356 CRITICAL
9.6 Jul 14

Arbitrary code execution in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source stems from an unrestricted file

CVE-2026-47984 CRITICAL
9.1 Jul 14

Security feature bypass in Adobe Commerce, Magento Open Source, Adobe Commerce B2B, and the Adobe Commerce Webhooks Plug

CVE-2026-47988 CRITICAL
9.1 Jul 14

Improper authorization in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugi

CVE-2021-36032 HIGH
8.8 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

CVE-2021-36044 HIGH
7.5 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

CVE-2021-36030 HIGH
7.5 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

CVE-2026-47992 HIGH
7.2 Jul 14

SQL injection in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin allows

CVE-2021-36042 HIGH
7.2 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

CVE-2021-36041 HIGH
7.2 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

CVE-2021-36040 HIGH
7.2 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

Share

CVE-2021-36031 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy