CVE-2021-39217 HIGH

CVE-2021-39217: OpenMage LTS arbitrary command execution in custom layout update through blocks

Vendor Openmage
Product magento-lts
Weakness CWE-77
Published January 27, 2023
Last update March 10, 2025

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, Custom Layout enabled admin users to execute arbitrary commands via block methods. Versions 19.4.22 and 20.0.19 contain patches for this issue.

Key dates

02Disclosure timeline

January 27, 2023 CVE published
March 10, 2025 Record updated