Headline
GHSA-c9q3-r4rv-mjm7: Fix for arbitrary command execution in custom layout update through blocks
Impact
Custom Layout enabled admin users to execute arbitrary commands via block methods.
Fix for arbitrary command execution in custom layout update through blocks
High severity GitHub Reviewed Published Jan 27, 2023 in OpenMage/magento-lts • Updated Jan 27, 2023
Related news
CVE-2021-41143: Release v19.4.22 · OpenMage/magento-lts
OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, Magento admin users with access to the customer media could execute code on the server. Versions 19.4.22 and 20.0.19 contain a patch for this issue.