Code Injection in magento-lts

#VU71575 Code Injection in magento-lts

Published: 2023-01-26

Vulnerability identifier: #VU71575

Vulnerability risk: Low

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-41231

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
magento-lts
Web applications / Modules and components for CMS

Vendor: OPENMAGE

Description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in DataFlow upload feature. A remote administrator with the permissions to upload files via DataFlow can execute arbitrary code via the convert profile.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

magento-lts: 20.0.0 - 20.0.10, 19.4.0 - 19.4.12

External links
http://github.com/OpenMage/magento-lts/security/advisories/GHSA-h632-p764-pjqm
http://github.com/OpenMage/magento-lts/releases/tag/v20.0.19
http://github.com/OpenMage/magento-lts/releases/tag/v19.4.22

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in magento-lts