OpenMage LTS authenticated remote code execution through layout update
CVE-2021-41144

8.8HIGH

Key Information:

Vendor

Openmage

Status
Magento-lts
Vendor
CVE Published:
27 January 2023

What is CVE-2021-41144?

A remote code execution vulnerability exists in OpenMage LTS, a popular e-commerce platform. Prior to version 19.4.22 and 20.0.19, a flaw allowed layout blocks to bypass a blacklist, potentially leading to unauthorized remote code execution. This vulnerability has been addressed in the newer versions, ensuring better security for users.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

magento-lts < 19.4.22 < 19.4.22

magento-lts >= 20.0.0, < 20.0.19 < 20.0.0, 20.0.19

References

https://github.com/OpenMage/magento-lts/security/advisori...
x_refsource_CONFIRM
https://github.com/OpenMage/magento-lts/commit/06c45940ba...
x_refsource_MISC
https://github.com/OpenMage/magento-lts/releases/tag/v19....
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.