CVE-2021-33199: 
Expression Engine vulnerability analysis and mitigation

In Expression Engine before 6.0.3, addonIcon in Addons/file/mod.file.php relies on the untrusted input value of input->get('file') instead of the fixed file names of icon.png and icon.svg. This vulnerability was assigned CVE-2021-33199 and was disclosed in August 2021 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-20 (Improper Input Validation) and affects all versions of ExpressionEngine prior to 6.0.3 (NVD).

Due to the critical CVSS score and vector string, this vulnerability could allow remote attackers to achieve complete system compromise with high impacts on confidentiality, integrity, and availability. The lack of required privileges or user interaction makes this vulnerability particularly dangerous (NVD).

The vulnerability has been fixed in ExpressionEngine version 6.0.3. Users are strongly advised to upgrade to this version or later. The fix addresses both a potential remote code execution vulnerability and a potential directory traversal vulnerability (EE Release).