Magento Patch SUPEE-9652 - Remote Code Execution using mail vulnerability

Zend Framework 1 vulnerability can be remotely exploited to execute code in Magento 1. While the issue is not reproducible in Magento 2, the library code is the same so it was fixed as well.

Note: while the vulnerability is scored as critical, few systems are affected. To be affected by the vulnerability the installation has to:

use sendmail as the mail transport agent
have specific, non-default configuration settings as described here.

Published: May 15, 2024
Updated: Jun 27, 2024
GHSA: GHSA-26hq-7286-mg8f
Severity: Critical
Exploit:

No technical information available.

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
magento / community-edition	1.9.0.0	1.14.3.2

https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ee/2017-02-07.yaml
https://web.archive.org/web/20210616204105/https://magento.com/security/patches/supee-9652

Vulnerability Database

289,784

Magento Patch SUPEE-9652 - Remote Code Execution using mail vulnerability