Headline
GHSA-h632-p764-pjqm: DataFlow upload remote code execution vulnerability
Impact
An administrator with the permissions to upload files via DataFlow and to create products was able to execute arbitrary code via the convert profile.
DataFlow upload remote code execution vulnerability
High severity GitHub Reviewed Published Jan 27, 2023 in OpenMage/magento-lts • Updated Jan 27, 2023
Related news
CVE-2021-41143: Release v19.4.22 · OpenMage/magento-lts
OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, Magento admin users with access to the customer media could execute code on the server. Versions 19.4.22 and 20.0.19 contain a patch for this issue.