Total vulnerabilities in the database
In Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger RCE via PHP Object Injection through product attributes and a product. The issue is patched in versions 19.4.8 and 20.0.4.
Software | From | Fixed in |
---|---|---|
openmage / magento | 20.0.0 | 20.0.4 |
openmage / magento | - | 19.4.8.x |
![]() |
- | 19.4.8 |
![]() |
20.0.0 | 20.0.4 |