GHSA-26hq-7286-mg8f: Magento Patch SUPEE-9652 - Remote Code Execution using mail vulnerability

May 15, 2024

Zend Framework 1 vulnerability can be remotely exploited to execute code in Magento 1. While the issue is not reproducible in Magento 2, the library code is the same so it was fixed as well.

Note: while the vulnerability is scored as critical, few systems are affected. To be affected by the vulnerability the installation has to:

use sendmail as the mail transport agent
have specific, non-default configuration settings as described here.

References

github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ee/2017-02-07.yaml
github.com/advisories/GHSA-26hq-7286-mg8f
github.com/magento/magento2
web.archive.org/web/20210616204105/https://magento.com/security/patches/supee-9652

Detect and mitigate GHSA-26hq-7286-mg8f with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →