GHSA-c9q3-r4rv-mjm7

Source

https://github.com/advisories/GHSA-c9q3-r4rv-mjm7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-c9q3-r4rv-mjm7/GHSA-c9q3-r4rv-mjm7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c9q3-r4rv-mjm7

Aliases

CVE-2021-39217

Published

2023-01-27T00:54:46Z

Modified

2023-11-08T04:06:34.089244Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Fix for arbitrary command execution in custom layout update through blocks

Details

Impact

Custom Layout enabled admin users to execute arbitrary commands via block methods.

Database specific

{
    "nvd_published_at": "2023-01-27T18:15:00Z",
    "github_reviewed_at": "2023-01-27T00:54:46Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-77"
    ]
}

References

Affected packages

Packagist / openmage/magento-lts

Package

Name: openmage/magento-lts
Purl: pkg:composer/openmage/magento-lts

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

19.4.22

Affected versions

1.*

1.9.1.1

1.9.2.0

1.9.2.1

1.9.2.2

1.9.2.3

1.9.2.4

1.9.3.0

1.9.3.1

v19.*

v19.4.0

v19.4.1

v19.4.2

v19.4.3

v19.4.4

v19.4.5

v19.4.6

v19.4.7

v19.4.8

v19.4.9

v19.4.10

v19.4.11

v19.4.12

v19.4.13

v19.4.14

v19.4.15

v19.4.16

v19.4.17

v19.4.18

v19.4.19

v19.4.20

v19.4.21

Packagist / openmage/magento-lts

Package

Name: openmage/magento-lts
Purl: pkg:composer/openmage/magento-lts

Affected ranges

Type: ECOSYSTEM
Events: Introduced

20.0.0

Fixed

20.0.19

Affected versions

v20.*

v20.0.0

v20.0.1

v20.0.2

v20.0.3

v20.0.4

v20.0.5

v20.0.6

v20.0.7

v20.0.8

v20.0.10

v20.0.11

v20.0.12

v20.0.13

v20.0.14

v20.0.15

v20.0.16

v20.0.17

v20.0.18