Skip to content

Magento Patch SUPEE-9652 - Remote Code Execution using mail vulnerability

Critical severity GitHub Reviewed Published May 15, 2024 to the GitHub Advisory Database • Updated May 15, 2024

Package

composer magento/community-edition (Composer)

Affected versions

>= 1.9.0.0, < 1.14.3.2

Patched versions

1.14.3.2

Description

Zend Framework 1 vulnerability can be remotely exploited to execute code in Magento 1. While the issue is not reproducible in Magento 2, the library code is the same so it was fixed as well.

Note: while the vulnerability is scored as critical, few systems are affected. To be affected by the vulnerability the installation has to:

  • use sendmail as the mail transport agent

  • have specific, non-default configuration settings as described here.

References

Published to the GitHub Advisory Database May 15, 2024
Reviewed May 15, 2024
Last updated May 15, 2024

Severity

Critical

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-26hq-7286-mg8f

Source code

This advisory has been edited. See History.
See something to contribute? Suggest improvements for this vulnerability.