Advisories for Composer/Openmage/Magento-Lts package

This XSS vulnerability is about the system configs design/header/welcome design/header/logo_src design/header/logo_src_small design/header/logo_alt They are intended to enable admins to set a text in the two cases, and to define an image url for the other two cases. But because of previously missing escaping allowed to input arbitrary html and as a consequence also arbitrary JavaScript. While this is in most usage scenarios not a relevant issue, some people work with …

Summary OpenMage is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Details Mage_Adminhtml_Block_System_Config_Form_Field_File does not escape filename value in certain situations. Same as: https://nvd.nist.gov/vuln/detail/CVE-2024-20717 PoC Create empty file with this filename: <img src=x onerror=alert(1)>.crt Go to System > Configuration > Sales | Payment Methonds. Click Configure on PayPal Express Checkout. Choose API Certificate from …

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in openmage/magento-lts.

Improper Neutralization in openmage/magento-lts.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in openmage/magento-lts.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in openmage/magento-lts.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in openmage/magento-lts.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in openmage/magento-lts.

Impact Infinite loop in malicious code filter in certain conditions. Workarounds None

Cross-Site Request Forgery (CSRF) in openmage/magento-lts.

OpenMage magento-lts is an alternative to the Magento CE official releases. Due to missing sanitation in data flow in versions prior to 19.4.15 and 20.0.13, it was possible for admin users to upload arbitrary executable files to the server. OpenMage versions 19.4.15 and 20.0.13 have a patch for this Issue.

Admin users can execute arbitrary commands via block methods.

Magento-lts is a long-term support alternative to Magento Community Edition (CE). A vulnerability in magento-lts versions before 19.4.13 and 20.0.9 potentially allows an administrator unauthorized access to restricted resources. This is a backport of CVE-2021-21024. The vulnerability is patched in versions 19.4.13 and 20.0.9.

Magento-lts is a long-term support alternative to Magento Community Edition (CE). In magento-lts versions 19.4.12 and prior and 20.0.8 and prior, there is a vulnerability caused by the unsecured deserialization of an object. A patch in versions 19.4.13 and 20.0.9 was back ported from Zend Framework 3. The vulnerability was assigned CVE-2021-3007 in Zend Framework.

OpenMage is a community-driven alternative to Magento CE. In OpenMage, an administrator with permission to import/export data and to edit cms pages was able to inject an executable file on the server via layout xml.

OpenMage is a community-driven alternative to Magento CE. The latest OpenMage Versions up from have this Issue solved

OpenMage is a community-driven alternative to Magento CE. In OpenMage there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server and load it via layout xml.

In Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger RCE via PHP Object Injection through product attributes and a product. The issue is patched in versions 19.4.8 and 20.0.4.

OpenMage LTS before versions 19.4.6 and 20.0.2 allows attackers to circumvent the fromkey protection in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks. This issue is related to Adobe's CVE-2020-9690. It is patched in versions 19.4.6 and 20.0.2.