CVE-2021-32758

OpenMage Magento LTS is an alternative to the Magento CE official releases. Prior to versions 19.4.15 and 20.0.11, layout XML enabled admin users to execute arbitrary commands via block methods. The latest OpenMage Versions up from v19.4.15 and v20.0.11 have this Issue patched.

Published: Aug 27, 2021
Updated: May 9, 2024
CVE: CVE-2021-32758
GHSA: GHSA-26rr-v2j2-25fh
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 9
AV:N/AC:L/Au:S/C:C/I:C/A:C

CWEs:

CWE-91

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
openmage / openmage	20.0.00	20.0.11
openmage / openmage	-	19.4.15
openmage / magento-lts	-	19.4.15
openmage / magento-lts	20.0.0	20.0.13

https://github.com/OpenMage/magento-lts/commit/b99307d00b59c4a226a1e3e4083f02cf2fc8fce7
https://github.com/OpenMage/magento-lts/releases/tag/v19.4.15
https://github.com/OpenMage/magento-lts/releases/tag/v20.0.11
https://github.com/OpenMage/magento-lts/releases/tag/v20.0.13
https://github.com/OpenMage/magento-lts/security/advisories/GHSA-26rr-v2j2-25fh

Vulnerability Database

290,020

CVE-2021-32758