GHSA-26hq-7286-mg8f

Suggest an improvement
Source
https://github.com/advisories/GHSA-26hq-7286-mg8f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-26hq-7286-mg8f/GHSA-26hq-7286-mg8f.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-26hq-7286-mg8f
Published
2024-05-15T22:33:44Z
Modified
2024-05-15T22:33:44Z
Summary
Magento Patch SUPEE-9652 - Remote Code Execution using mail vulnerability
Details

Zend Framework 1 vulnerability can be remotely exploited to execute code in Magento 1. While the issue is not reproducible in Magento 2, the library code is the same so it was fixed as well.

Note: while the vulnerability is scored as critical, few systems are affected. To be affected by the vulnerability the installation has to:

  • use sendmail as the mail transport agent

  • have specific, non-default configuration settings as described here.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-15T22:33:44Z"
}
References

Affected packages

Packagist / magento/community-edition

Package

Name
magento/community-edition
Purl
pkg:composer/magento/community-edition

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.9.0.0
Fixed
1.14.3.2