Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yNmhxLTcyODYtbWc4Zs4AA8Iy
Magento Patch SUPEE-9652 - Remote Code Execution using mail vulnerability
Zend Framework 1 vulnerability can be remotely exploited to execute code in Magento 1. While the issue is not reproducible in Magento 2, the library code is the same so it was fixed as well.
Note: while the vulnerability is scored as critical, few systems are affected. To be affected by the vulnerability the installation has to:
-
use sendmail as the mail transport agent
-
have specific, non-default configuration settings as described here.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yNmhxLTcyODYtbWc4Zs4AA8Iy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 6 months ago
Updated: 6 months ago
Identifiers: GHSA-26hq-7286-mg8f
References:
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ee/2017-02-07.yaml
- https://web.archive.org/web/20210616204105/https://magento.com/security/patches/supee-9652
- https://github.com/advisories/GHSA-26hq-7286-mg8f
Affected Packages
packagist:magento/community-edition
Dependent packages: 13Dependent repositories: 12
Downloads: 48,379 total
Affected Version Ranges: >= 1.9.0.0, < 1.14.3.2
Fixed in: 1.14.3.2
All affected versions:
All unaffected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.1.17, 2.1.18, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7