Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01dnB2LXhtY2otOXE4Nc4AAxOV
Fix for arbitrary file deletion in customer media allows for remote code execution
Impact
Magento admin users with access to the customer media could execute code on the server.
Permalink: https://github.com/advisories/GHSA-5vpv-xmcj-9q85JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01dnB2LXhtY2otOXE4Nc4AAxOV
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: 9 months ago
CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-5vpv-xmcj-9q85, CVE-2021-41143
References:
- https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5vpv-xmcj-9q85
- https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22
- https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19
- https://nvd.nist.gov/vuln/detail/CVE-2021-41143
- https://github.com/OpenMage/magento-lts/commit/45330ff50439984e806992fa22c3f96c4d660f91
- https://github.com/advisories/GHSA-5vpv-xmcj-9q85
Blast Radius: 10.7
Affected Packages
packagist:openmage/magento-lts
Dependent packages: 21Dependent repositories: 31
Downloads: 146,815 total
Affected Version Ranges: >= 20.0.0, < 20.0.19, < 19.4.22
Fixed in: 20.0.19, 19.4.22
All affected versions: 19.4.0, 19.4.1, 19.4.2, 19.4.3, 19.4.4, 19.4.5, 19.4.6, 19.4.7, 19.4.8, 19.4.9, 19.4.10, 19.4.11, 19.4.12, 19.4.13, 19.4.14, 19.4.15, 19.4.16, 19.4.17, 19.4.18, 19.4.19, 19.4.20, 19.4.21, 20.0.0, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5, 20.0.6, 20.0.7, 20.0.8, 20.0.10, 20.0.11, 20.0.12, 20.0.13, 20.0.14, 20.0.15, 20.0.16, 20.0.17, 20.0.18
All unaffected versions: 19.4.22, 19.4.23, 19.5.0, 19.5.1, 19.5.2, 19.5.3, 20.0.19, 20.0.20, 20.1.0, 20.1.1, 20.2.0, 20.3.0, 20.4.0, 20.5.0, 20.6.0