cbcvebase.
CVE-2015-1398
published 2015-04-29

CVE-2015-1398: Multiple directory traversal vulnerabilities in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allow remote authenticated users to…

PriorityP275medium6.5CVSS 2.0
AVNACLAuSCPIPAP
ITWVulnCheck KEV
Exploited in the wild
EPSS
14.40%
96.2th percentile
Multiple directory traversal vulnerabilities in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allow remote authenticated users to include and execute certain PHP files via (1) .. (dot dot) sequences in the PATH_INFO to index.php or (2) vectors involving a block value in the ___directive parameter to the Cms_Wysiwyg controller in the Adminhtml module, related to the blockDirective function and the auto loading mechanism. NOTE: vector 2 might not cross privilege boundaries, since administrators might already have the privileges to execute code and upload files.

Affected

2 ranges
VendorProductVersion rangeFixed in
magentomagento
magentomagento

Detection & IOCsextracted from sources · hover to see the quote

  • Detect directory traversal / admin controller hijacking by inspecting PATH_INFO in requests to index.php for dot-dot sequences ('..') or patterns matching 'Adminhtml_' class name segments in non-admin URL paths.
  • Inspect the ___directive parameter in requests to the Cms_Wysiwyg controller (Adminhtml module) for suspicious block values, particularly PHP wrapper strings such as 'phar://' used as ScriptPath values in Magento template reflection syntax.
  • For CVE-2015-1397 (chained SQLi): filter values are base64-encoded query strings; WAF rules must base64-decode the filter parameter before inspecting for SQL injection payloads, as raw inspection will miss encoded payloads.
  • ·Vector 2 (___directive / blockDirective) may not cross privilege boundaries since administrators may already have code execution and file upload privileges; prioritize detection of vector 1 (PATH_INFO traversal) for unauthenticated/low-privilege scenarios.
  • ·Standard WAF rules inspecting plain HTTP parameters will not detect the authentication bypass or SQL injection components of this exploit chain without Magento-specific inspection logic; generic signatures are insufficient.
  • ·The full unauthenticated RCE requires chaining three CVEs (CVE-2015-1397, CVE-2015-1398, CVE-2015-1399); CVE-2015-1398 alone provides authentication bypass, not direct code execution.

CVSS provenance

nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.