CVE-2021-39217 — Command Injection in Magento-lts

CWE-77 — Command Injection4 documents4 sources

Severity

7.2HIGHNVD

EPSS

0.7%

top 27.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openmage Magento-lts Openmage Magento

Timeline

PublishedJan 27

Description

OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, Custom Layout enabled admin users to execute arbitrary commands via block methods. Versions 19.4.22 and 20.0.19 contain patches for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

▶NVDopenmage/magento20.0.0 — 20.0.19+1

▶CVEListV5openmage/magento-lts< 19.4.22+1

▶Packagistopenmage/magento-lts20.0.0 — 20.0.19+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Fix for arbitrary command execution in custom layout update through blocks↗2023-01-27

▶

GHSA

Fix for arbitrary command execution in custom layout update through blocks↗2023-01-27

▶

CVEList

OpenMage LTS arbitrary command execution in custom layout update through blocks↗2023-01-27

▶