CVE-2021-32759 — Improper Input Validation in Magento-lts

CWE-20 — Improper Input Validation4 documents4 sources

Severity

7.2HIGHNVD

EPSS

0.5%

top 32.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openmage Magento-lts Openmage Magento

Timeline

PublishedAug 27

Latest updateAug 30

Description

OpenMage magento-lts is an alternative to the Magento CE official releases. Due to missing sanitation in data flow in versions prior to 19.4.15 and 20.0.13, it was possible for admin users to upload arbitrary executable files to the server. OpenMage versions 19.4.15 and 20.0.13 have a patch for this Issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

▶NVDopenmage/magento20.0.0 — 20.0.11+1

▶CVEListV5openmage/magento-lts< 19.4.15+1

▶Packagistopenmage/magento-lts20.0.0 — 20.0.13+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Data Flow Sanitation Issue Fix↗2021-08-30

▶

OSV

Data Flow Sanitation Issue Fix↗2021-08-30

▶

CVEList

Data Flow Sanitation Issue Fix↗2021-08-27

▶