Login Sign Up

CVE-2020-26252

8.7 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated administrators with product update permissions to upload executable files and execute them via layout XML in OpenMage. It enables remote code execution on affected OpenMage installations. Only OpenMage instances with vulnerable versions and administrators with specific permissions are affected.

💻 Affected Systems

Products:
  • OpenMage
Versions: All versions before 19.4.10 and 20.0.6
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires administrator with product update permissions; affects both community and potentially enterprise deployments.

📦 What is this software?

Openmage by Openmage

View all CVEs affecting Openmage →

Openmage by Openmage

View all CVEs affecting Openmage →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing attacker to execute arbitrary code, steal data, install backdoors, or pivot to other systems.

🟠

Likely Case

Attacker gains shell access to the web server, potentially accessing sensitive data and modifying website content.

🟢

If Mitigated

Limited impact if proper access controls and file upload restrictions are in place, though risk remains elevated.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated admin access; proof-of-concept code is available in public advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 19.4.10 or 20.0.6 and later

Vendor Advisory: https://github.com/OpenMage/magento-lts/security/advisories/GHSA-99m6-r53j-4hh2

Restart Required: No

Instructions:

1. Backup your OpenMage installation and database. 2. Update to OpenMage version 19.4.10 or 20.0.6 or later. 3. Clear cache and verify functionality.

🔧 Temporary Workarounds

Restrict Administrator Permissions

all

Temporarily remove product update permissions from administrators until patching is complete.

File Upload Restrictions

all

Implement web application firewall rules to block suspicious file uploads and XML layout modifications.

🧯 If You Can't Patch

  • Implement strict access controls and limit administrator permissions to essential functions only.
  • Deploy network segmentation and monitoring to detect suspicious file uploads and XML modifications.

🔍 How to Verify

Check if Vulnerable:

Check OpenMage version in admin panel or via composer show openmage/magento-lts.

Check Version:

composer show openmage/magento-lts | grep version

Verify Fix Applied:

Confirm version is 19.4.10 or 20.0.6 or later using the same command.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to product directories
  • Suspicious XML layout modifications
  • Admin account performing unexpected product updates

Network Indicators:

  • POST requests with executable file uploads to product endpoints
  • XML requests modifying layout configurations

SIEM Query:

source="web_logs" AND (uri_path="/admin/catalog_product/*" AND (file_upload="*.php" OR file_upload="*.exe"))

📊 Metadata

CVE ID: CVE-2020-26252
CVSS v3 Score: 8.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
CWE: CWE-22
Published: January 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-26252, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)