pkg:Packagist/openmage/magento-lts

All known vulnerabilities

• CRITICAL9.8CVE-2021-21426Fixes a bug in Zend Framework's Stream HTTP Wrapper
  from 0, < 19.4.13
• CRITICAL9.1CVE-2021-21427Backport for CVE-2021-21024 Blind SQLi from Magento 2
  from 0, < 19.4.13
• HIGH8.8OpenMage LTS: Customer File Upload Extension Blocklist Bypass → Remote Code Execution
  from 0, < 20.17.0
• HIGH8.8Fix for authenticated remote code execution through layout update
  from 0, < 19.4.22
• HIGH8.1OpenMage LTS: Phar Deserialization leads to Remote Code Execution
  from 0, < 20.17.0
• HIGH8.0RCE via PHP Object injection via SOAP Requests
  from 0, < 19.4.8
• HIGH8.0Observable Timing Discrepancy in OpenMage LTS
  from 0, < 19.4.6
• HIGH7.5Magento LTS's guest order "protect code" can be brute-forced too easily
  from 0, < 19.5.1
• HIGH7.2DataFlow upload remote code execution vulnerability
  from 0, < 19.4.22
• HIGH7.2Fix for arbitrary file deletion in customer media allows for remote code execution
  from 0, < 19.4.22
• HIGH7.2Fix for arbitrary command execution in custom layout update through blocks
  from 0, < 19.4.22
• MEDIUM6.1Magento LTS Vulnerable to Open Redirect via Unvalidated `uenc` Parameter in `stockAction()`
  from 0, < 20.18.0
• MEDIUM5.4OpenMage LTS: Cross-user wishlist import leads to private option & file disclosure
  from 0, < 20.17.0
• MEDIUM5.3Magento's X-Original-Url header can expose admin url
  from 0, < 20.16.1
• MEDIUM4.9OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module
  from 0, < 20.17.0
• MEDIUM4.9DoS vulnerability in MaliciousCode filter
  from 0, < 19.4.22
• MEDIUM4.3magento-lts Reset Password not protected against well-timed CSRF
  from 0, < 19.4.22
• MEDIUM4.1Magento LTS vulnerable to stored Cross-site Scripting (XSS) in admin system configs
  from 0, < 20.10.1
• LOW2.9Magento LTS vulnerable to stored XSS in theme config fields
  from 0, < 20.12.3
• —Magento LTS: Reflected XSS - Import -> Data Flow (profiles)
  from 0, < 20.18.0
• —Magento LTS has Weak API Session ID — Predictable MD5 of Time-Derived Inputs
  from 0, < 20.18.0
• —OpenMage vulnerable to XSS in Admin Notifications
  from 0, < 20.16.0
• —Layout XML Arbitrary Code Fix
  from 0, < 19.4.15
• —Data Flow Sanitation Issue Fix
  from 0, < 19.4.15