Layout XML Arbitrary Code Fix

Description

Impact

Layout XML enabled admin users to execute arbitrary commands via block methods.

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Not specified
Published (advisory)
2021-08-30 17:20:52 UTC
Updated
2023-02-01 05:06:04 UTC
GitHub reviewed
2021-08-30 16:42:41 UTC
NVD published
2021-08-27

EPSS Score

Score Percentile
0.36% 57.52%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

CWEs

CWE id Name
CWE-91 XML Injection (aka Blind XPath Injection)

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer openmage/magento-lts < 19.4.15 19.4.15
composer openmage/magento-lts >= 20.0.0, < 20.0.13 20.0.13

References

cvelogic Threat Intelligence