Vulnerability Description
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to import/export data and to create widget instances was able to inject an executable file on the server. The latest OpenMage Versions up from 19.4.9 and 20.0.5 have this Issue solved
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openmage | Openmage | < 19.4.10 |
Related Weaknesses (CWE)
References
- https://github.com/OpenMage/magento-lts/commit/4132668f5009f17456fe644742026f56dPatchThird Party Advisory
- https://github.com/OpenMage/magento-lts/releases/tag/v19.4.10Third Party Advisory
- https://github.com/OpenMage/magento-lts/security/advisories/GHSA-hj6w-xrv3-wjj9Third Party Advisory
- https://github.com/OpenMage/magento-lts/commit/4132668f5009f17456fe644742026f56dPatchThird Party Advisory
- https://github.com/OpenMage/magento-lts/releases/tag/v19.4.10Third Party Advisory
- https://github.com/OpenMage/magento-lts/security/advisories/GHSA-hj6w-xrv3-wjj9Third Party Advisory
FAQ
What is CVE-2020-26285?
CVE-2020-26285 is a vulnerability with a CVSS score of 8.7 (HIGH). OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, there is a vulnerability which enables remote code execution. In affected versions an administ...
How severe is CVE-2020-26285?
CVE-2020-26285 has been rated HIGH with a CVSS base score of 8.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-26285?
Check the references section above for vendor advisories and patch information. Affected products include: Openmage Openmage.