OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, an administrator with permission to import/export data and to edit cms pages was able to inject an executable file on the server via layout xml. The latest OpenMage Versions up from 19.4.9 and 20.0.5 have this Issue solved
References
Link | Resource |
---|---|
https://github.com/OpenMage/magento-lts/commit/9cf8c0aa1d1306051a18ace08d40279dadc1fb35 | Patch Third Party Advisory |
https://github.com/OpenMage/magento-lts/releases/tag/v19.4.10 | Third Party Advisory |
https://github.com/OpenMage/magento-lts/security/advisories/GHSA-52c6-6v3v-f3fg | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
28 Jan 2021, 16:19
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 6.5
v3 : 7.2 |
References | (CONFIRM) https://github.com/OpenMage/magento-lts/security/advisories/GHSA-52c6-6v3v-f3fg - Third Party Advisory | |
References | (MISC) https://github.com/OpenMage/magento-lts/releases/tag/v19.4.10 - Third Party Advisory | |
References | (MISC) https://github.com/OpenMage/magento-lts/commit/9cf8c0aa1d1306051a18ace08d40279dadc1fb35 - Patch, Third Party Advisory | |
CPE | cpe:2.3:a:openmage:openmage:*:*:*:*:lts:*:*:* | |
CWE | CWE-22 CWE-434 |
26 Jan 2021, 18:15
Type | Values Removed | Values Added |
---|---|---|
Summary | OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, an administrator with permission to import/export data and to edit cms pages was able to inject an executable file on the server via layout xml. The latest OpenMage Versions up from 19.4.9 and 20.0.5 have this Issue solved |
21 Jan 2021, 14:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-01-21 14:15
Updated : 2023-12-10 13:41
NVD link : CVE-2020-26295
Mitre link : CVE-2020-26295
CVE.ORG link : CVE-2020-26295
JSON object : View
Products Affected
openmage
- openmage