cbcvebase.
CVE-2015-1399
published 2015-04-29

CVE-2015-1399: PHP remote file inclusion vulnerability in the fetchView function in the Mage_Core_Block_Template_Zend class in Magento Community Edition (CE) 1.9.1.0 and…

PriorityP274medium6.5CVSS 2.0
AVNACLAuSCPIPAP
ITWVulnCheck KEV
Exploited in the wild
EPSS
10.07%
95.0th percentile
PHP remote file inclusion vulnerability in the fetchView function in the Mage_Core_Block_Template_Zend class in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allows remote administrators to execute arbitrary PHP code via a URL in unspecified vectors involving the setScriptPath function. NOTE: it is not clear whether this issue crosses privilege boundaries, since administrators might already have privileges to include arbitrary files.

Affected

2 ranges
VendorProductVersion rangeFixed in
magentomagento
magentomagento

Detection & IOCsextracted from sources · hover to see the quote

  • Detect CVE-2015-1397 SQL injection by inspecting the filter parameter (e.g., 'filter' GET/POST param) for base64-encoded payloads; decode base64 content and apply SQL injection detection rules to the decoded query-string values.
  • WAF rules must search for PHP wrapper payloads (phar://, php://, etc.) anywhere inside HTTP parameter values, not only at the beginning, due to the Magento template reflection structure wrapping the payload.
  • ·The three CVEs (CVE-2015-1397, CVE-2015-1398, CVE-2015-1399) are chained together to achieve unauthenticated RCE; blocking only CVE-2015-1399 (RFI) is insufficient since the SQL injection (CVE-2015-1397) alone was observed in the wild to add rogue admin accounts, compromising the database before the RFI stage is reached.
  • ·Generic WAF rules are insufficient for this vulnerability chain; all three CVEs require dedicated, Magento-specific inspection rules because the exploit payloads are encoded (base64 for SQLi) or embedded in application-specific template reflection syntax not present in any other web application.
  • ·Affected versions are Magento Community Edition 1.9.1.0 and Enterprise Edition 1.14.1.0; the RFI vector specifically involves the fetchView function in Mage_Core_Block_Template_Zend and the setScriptPath function.

CVSS provenance

nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.