GHSA-h632-p764-pjqm

Source

https://github.com/advisories/GHSA-h632-p764-pjqm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-h632-p764-pjqm/GHSA-h632-p764-pjqm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-h632-p764-pjqm

Aliases

CVE-2021-41231

Published

2023-01-27T00:56:58Z

Modified

2023-11-08T04:06:56.874279Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

DataFlow upload remote code execution vulnerability

Details

Impact

An administrator with the permissions to upload files via DataFlow and to create products was able to execute arbitrary code via the convert profile.

Database specific

{
    "nvd_published_at": "2023-01-27T19:15:00Z",
    "github_reviewed_at": "2023-01-27T00:56:58Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-434",
        "CWE-77"
    ]
}

References

Affected packages

Packagist / openmage/magento-lts

Package

Name: openmage/magento-lts
Purl: pkg:composer/openmage/magento-lts

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

19.4.22

Affected versions

1.*

1.9.1.1

1.9.2.0

1.9.2.1

1.9.2.2

1.9.2.3

1.9.2.4

1.9.3.0

1.9.3.1

v19.*

v19.4.0

v19.4.1

v19.4.2

v19.4.3

v19.4.4

v19.4.5

v19.4.6

v19.4.7

v19.4.8

v19.4.9

v19.4.10

v19.4.11

v19.4.12

v19.4.13

v19.4.14

v19.4.15

v19.4.16

v19.4.17

v19.4.18

v19.4.19

v19.4.20

v19.4.21

Packagist / openmage/magento-lts

Package

Name: openmage/magento-lts
Purl: pkg:composer/openmage/magento-lts

Affected ranges

Type: ECOSYSTEM
Events: Introduced

20.0.0

Fixed

20.0.19

Affected versions

v20.*

v20.0.0

v20.0.1

v20.0.2

v20.0.3

v20.0.4

v20.0.5

v20.0.6

v20.0.7

v20.0.8

v20.0.10

v20.0.11

v20.0.12

v20.0.13

v20.0.14

v20.0.15

v20.0.16

v20.0.17

v20.0.18