CVE-2020-26285 Vulnerability Details

  /     /     /  

CVE-2020-26285 Metadata Quick Info

CVE Published: 21/01/2021 | CVE Updated: 04/08/2024 | CVE Year: 2020
Source: GitHub_M | Vendor: OpenMage | Product: magento-lts
Status : PUBLISHED

---

CVE-2020-26285 Description

OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to import/export data and to create widget instances was able to inject an executable file on the server. The latest OpenMage Versions up from 19.4.9 and 20.0.5 have this Issue solved

Metrics

CVSS Version: 3.1 | Base Score: 8.7 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* HIGH
    User Interaction (UI)* NONE
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* HIGH
    Integrity Impact (I)* HIGH
    Availability Impact (A)* NONE

Weakness Enumeration (CWE)

CWE-ID: CWE-22
CWE Name: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ( Path Traversal )
Source: OpenMage

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).