Improper access control in magento-lts - CVE-2020-26295

 

Improper access control in magento-lts - CVE-2020-26295

Published: January 19, 2021 / Updated: April 20, 2026


Vulnerability identifier: #VU126490
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-26295
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: OPENMAGE
Affected software:
magento-lts

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code on the server.

The vulnerability exists due to improper access control in the CMS layout XML handling when processing layout XML in CMS page editing. A remote user can inject an executable file on the server to execute arbitrary code on the server.

Exploitation requires permissions to import or export data and to edit CMS pages.


How to mitigate CVE-2020-26295

Install security update from vendor's website.

Sources