CVE-2021-39217

OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, Custom Layout enabled admin users to execute arbitrary commands via block methods. Versions 19.4.22 and 20.0.19 contain patches for this issue.

CVSS v3.0 7.2 HIGH

7.2^/10

CVSS v3.0 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/OpenMage/magento-lts/commit/289bd4b4f53622138e3e5c2d2cef7502d780086f	Patch Third Party Advisory
https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22	Release Notes Third Party Advisory
https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19	Release Notes Third Party Advisory
https://github.com/OpenMage/magento-lts/security/advisories/GHSA-c9q3-r4rv-mjm7	Third Party Advisory

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:openmage:magento:::::lts:::*
	cpe:2.3:a:openmage:magento:::::lts:::*

Information

Published : 2023-01-27 10:15

Updated : 2023-02-03 17:55

NVD link : CVE-2021-39217

Mitre link : CVE-2021-39217

JSON object : View

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Advertisement

Products Affected

openmage

magento

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/OpenMage/magento-lts/commit/289bd4b4f53622138e3e5c2d2cef7502d780086f", "name": "https://github.com/OpenMage/magento-lts/commit/289bd4b4f53622138e3e5c2d2cef7502d780086f", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22", "name": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22", "tags": ["Release Notes", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19", "name": "https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19", "tags": ["Release Notes", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-c9q3-r4rv-mjm7", "name": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-c9q3-r4rv-mjm7", "tags": ["Third Party Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, Custom Layout enabled admin users to execute arbitrary commands via block methods. Versions 19.4.22 and 20.0.19 contain patches for this issue."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-77"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-39217", "ASSIGNER": "security-advisories@github.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}}, "publishedDate": "2023-01-27T18:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:openmage:magento:*:*:*:*:lts:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "20.0.19", "versionStartIncluding": "20.0.0"}, {"cpe23Uri": "cpe:2.3:a:openmage:magento:*:*:*:*:lts:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "19.4.22"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-02-04T01:55Z"}