SB2021011929 - Multiple vulnerabilities in Magento LTS

Description

This security bulletin contains information about 3 vulnerabilities.

1) Improper access control (CVE-ID: CVE-2020-26295)

The vulnerability allows a remote user to execute arbitrary code on the server.

The vulnerability exists due to improper access control in the CMS layout XML handling when processing layout XML in CMS page editing. A remote user can inject an executable file on the server to execute arbitrary code on the server.

Exploitation requires permissions to import or export data and to edit CMS pages.

2) Improper access control (CVE-ID: CVE-2020-26285)

The vulnerability allows a remote user to inject an executable file on the server.

The vulnerability exists due to improper access control in widget instances when importing or exporting data and creating widget instances. A remote user can use these permissions to inject an executable file on the server.

Exploitation requires administrative access with permission to import or export data and to create widget instances.

3) Improper access control (CVE-ID: CVE-2020-26252)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper access control in layout xml processing when updating product data. A remote user can store an executable file on the server and load it via layout xml to execute arbitrary code.

Remediation

Install update from vendor's website.

References

• https://github.com/OpenMage/magento-lts/security/advisories/GHSA-52c6-6v3v-f3fg
• https://github.com/OpenMage/magento-lts/security/advisories/GHSA-hj6w-xrv3-wjj9
• https://github.com/OpenMage/magento-lts/security/advisories/GHSA-99m6-r53j-4hh2