CVE-2021-32758XML Injection (aka Blind XPath Injection) in Magento-lts

CWE-91XML Injection (aka Blind XPath Injection)4 documents4 sources
Severity
7.2HIGHNVD
EPSS
0.4%
top 41.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Openmage Magento-ltsOpenmage
Timeline
PublishedAug 27
Latest updateAug 30

Description

OpenMage Magento LTS is an alternative to the Magento CE official releases. Prior to versions 19.4.15 and 20.0.11, layout XML enabled admin users to execute arbitrary commands via block methods. The latest OpenMage Versions up from v19.4.15 and v20.0.11 have this Issue patched.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

CVEListV5openmage/magento-lts< 19.4.15+1
Packagistopenmage/magento-lts20.0.020.0.13+1
NVDopenmage/openmage20.0.0020.0.11+1

🔴Vulnerability Details

3
GHSA
Layout XML Arbitrary Code Fix2021-08-30
OSV
Layout XML Arbitrary Code Fix2021-08-30
CVEList
Layout XML Arbitrary Code Fix2021-08-27
CVE-2021-32758 — Openmage Magento-lts vulnerability | cvebase