Description
OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, an administrator with the permissions to upload files via DataFlow and to create products was able to execute arbitrary code via the convert profile. Versions 19.4.22 and 20.0.19 contain a patch for this issue.
CVSS Metrics
- Vector
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- Attack Vector
- network
- Complexity
- low
- Privileges
- high
- User Action
- none
- Scope
- unchanged
- Confidentiality
- high
- Integrity
- high
- Availability
- high
- Weaknesses
- CWE-77CWE-434
Metadata
- Primary Vendor
- OPENMAGE
- Published
- 1/27/2023
- Last Modified
- 11/21/2024
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
openmage : magentoopenmage : magento
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.