Vulnerability Description
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server and load it via layout xml. The latest OpenMage Versions up from 19.4.10 and 20.0.6 have this issue solved.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openmage | Openmage | < 19.4.10 |
Related Weaknesses (CWE)
References
- https://github.com/OpenMage/magento-lts/commit/0786aa48bc7b618cfe37b59f45e1da371PatchThird Party Advisory
- https://github.com/OpenMage/magento-lts/security/advisories/GHSA-99m6-r53j-4hh2Third Party Advisory
- https://github.com/OpenMage/magento-lts/commit/0786aa48bc7b618cfe37b59f45e1da371PatchThird Party Advisory
- https://github.com/OpenMage/magento-lts/security/advisories/GHSA-99m6-r53j-4hh2Third Party Advisory
FAQ
What is CVE-2020-26252?
CVE-2020-26252 is a vulnerability with a CVSS score of 8.7 (HIGH). OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administ...
How severe is CVE-2020-26252?
CVE-2020-26252 has been rated HIGH with a CVSS base score of 8.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-26252?
Check the references section above for vendor advisories and patch information. Affected products include: Openmage Openmage.