CVE-2021-32758

OpenMage Magento LTS is an alternative to the Magento CE official releases. Prior to versions 19.4.15 and 20.0.11, layout XML enabled admin users to execute arbitrary commands via block methods. The latest OpenMage Versions up from v19.4.15 and v20.0.11 have this Issue patched.
aka Blind XPath Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
GitHub_MCNA
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 64%
VendorProductVersion
openmageopenmage
𝑥
< 19.4.15
openmageopenmage
20.0.00 ≤
𝑥
< 20.0.11
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/OpenMage/magento-lts/releases/tag/v19.4.15
https://github.com/OpenMage/magento-lts/releases/tag/v20.0.11
https://github.com/OpenMage/magento-lts/security/advisories/GHSA-26rr-v2j2-25fh
https://github.com/OpenMage/magento-lts/releases/tag/v19.4.15
https://github.com/OpenMage/magento-lts/releases/tag/v20.0.11
https://github.com/OpenMage/magento-lts/security/advisories/GHSA-26rr-v2j2-25fh