Main Vulnerability Database Vulnerabilities #VU126489

Improper access control in magento-lts - CVE-2020-26285

Published: January 19, 2021 / Updated: April 20, 2026

Vulnerability identifier: #VU126489

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2020-26285

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
magento-lts

Software vendor:
OPENMAGE

Description

The vulnerability allows a remote user to inject an executable file on the server.

The vulnerability exists due to improper access control in widget instances when importing or exporting data and creating widget instances. A remote user can use these permissions to inject an executable file on the server.

Exploitation requires administrative access with permission to import or export data and to create widget instances.

Remediation

Install security update from vendor's website.

External links

https://github.com/OpenMage/magento-lts/security/advisories/GHSA-hj6w-xrv3-wjj9

Improper access control in magento-lts - CVE-2020-26285

Description

Remediation

External links

Please verify you're human