GHSA-26hq-7286-mg8f – magento/community-edition

Package

Manager: composer
Name: magento/community-edition
Vulnerable Version: >=1.9.0.0 <1.14.3.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Magento Patch SUPEE-9652 - Remote Code Execution using mail vulnerability Zend Framework 1 vulnerability can be remotely exploited to execute code in Magento 1. While the issue is not reproducible in Magento 2, the library code is the same so it was fixed as well. Note: while the vulnerability is scored as critical, few systems are affected. To be affected by the vulnerability the installation has to: - use sendmail as the mail transport agent - have specific, non-default configuration settings as described [here](https://magento.com/security/patches/supee-9652#:~:text=settings%20as%20described-,here,-.).

Metadata

Created: 2024-05-15T22:33:44Z
Modified: 2024-05-15T22:33:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-26hq-7286-mg8f/GHSA-26hq-7286-mg8f.json
CWE IDs: []
Alternative ID: N/A
Finding: F422
Auto approve: 1