In Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger RCE via PHP Object Injection through product attributes and a product. The issue is patched in versions 19.4.8 and 20.0.4.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| openmage/magento-lts(Packagist) | 0 | 19.4.8 | N/A |
| openmage/magento-lts(Packagist) | 20.0.0 | 20.0.4 | N/A |
CVSS Metrics
