GHSA-5vpv-xmcj-9q85

Source

https://github.com/advisories/GHSA-5vpv-xmcj-9q85

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-5vpv-xmcj-9q85/GHSA-5vpv-xmcj-9q85.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-5vpv-xmcj-9q85

Aliases

CVE-2021-41143

Related

CVE-2021-41143

Published

2023-01-27T00:54:59Z

Modified

2023-11-01T04:56:25.362230Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Fix for arbitrary file deletion in customer media allows for remote code execution

Details

Impact

Magento admin users with access to the customer media could execute code on the server.

Database specific

{
    "nvd_published_at": "2023-01-27T19:15:00Z",
    "github_reviewed_at": "2023-01-27T00:54:59Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22",
        "CWE-77"
    ]
}

References

Affected packages

Packagist / openmage/magento-lts

Package

Name: openmage/magento-lts
Purl: pkg:composer/openmage/magento-lts

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

19.4.22

Affected versions

1.*

1.9.1.1

1.9.2.0

1.9.2.1

1.9.2.2

1.9.2.3

1.9.2.4

1.9.3.0

1.9.3.1

v19.*

v19.4.0

v19.4.1

v19.4.2

v19.4.3

v19.4.4

v19.4.5

v19.4.6

v19.4.7

v19.4.8

v19.4.9

v19.4.10

v19.4.11

v19.4.12

v19.4.13

v19.4.14

v19.4.15

v19.4.16

v19.4.17

v19.4.18

v19.4.19

v19.4.20

v19.4.21

Packagist / openmage/magento-lts

Package

Name: openmage/magento-lts
Purl: pkg:composer/openmage/magento-lts

Affected ranges

Type: ECOSYSTEM
Events: Introduced

20.0.0

Fixed

20.0.19

Affected versions

v20.*

v20.0.0

v20.0.1

v20.0.2

v20.0.3

v20.0.4

v20.0.5

v20.0.6

v20.0.7

v20.0.8

v20.0.10

v20.0.11

v20.0.12

v20.0.13

v20.0.14

v20.0.15

v20.0.16

v20.0.17

v20.0.18