Miggo Logo
Miggo Vulnerability Database
CVE-2021-28583

CVE-2021-28583:
Magento Violation of Secure Design Principles vulnerability in RMA PDF filename formats

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-28583
GHSA ID
GHSA-7gh6-f4jh-3crq
EPSS Score
0.66345%
CWE
CWE-657
Published
5/24/2022
Updated
2/10/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer>= 2.4.0, < 2.4.2-p12.4.2-p1
magento/community-editioncomposer< 2.3.72.3.7
magento/project-community-editioncomposer<= 2.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided commit diff and vulnerability description focus on RMA PDF filename format vulnerabilities, but the code changes shown primarily relate to dependency versioning in composer.json files and error handling in unrelated components. The critical RMA PDF filename handling logic is not visible in the provided diffs. While the Catalog/Controller/Adminhtml/Product/Gallery/Upload.php change improves error handling, it doesn't directly relate to the described RMA vulnerability. Without seeing the actual RMA PDF generation/filename handling code, specific vulnerable functions cannot be identified with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M***nto v*rsions *.*.* (*n* **rli*r), *.*.*-p* (*n* **rli*r) *n* *.*.*-p* (*n* **rli*r) *r* *****t** *y * Viol*tion o* S**ur* **si*n Prin*ipl*s vuln*r**ility in RM* P** *il*n*m* *orm*ts. Su***ss*ul *xploit*tion *oul* *llow *n *tt**k*r to **t un*ut*or

Reasoning

T** provi*** *ommit *i** *n* vuln*r**ility **s*ription *o*us on RM* P** `*il*n*m*` *orm*t vuln*r**iliti*s, *ut t** *o** ***n**s s*own prim*rily r*l*t* to **p*n**n*y v*rsionin* in `*ompos*r.json` *il*s *n* *rror **n*lin* in unr*l*t** *ompon*nts. T** *