Improper access control in magento-lts - CVE-2020-26285

 

Improper access control in magento-lts - CVE-2020-26285

Published: January 19, 2021 / Updated: April 20, 2026


Vulnerability identifier: #VU126489
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-26285
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: OPENMAGE
Affected software:
magento-lts

Detailed vulnerability description

The vulnerability allows a remote user to inject an executable file on the server.

The vulnerability exists due to improper access control in widget instances when importing or exporting data and creating widget instances. A remote user can use these permissions to inject an executable file on the server.

Exploitation requires administrative access with permission to import or export data and to create widget instances.


How to mitigate CVE-2020-26285

Install security update from vendor's website.

Sources