Login Sign Up

CVE-2020-26295

8.7 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated administrators with specific permissions to inject executable files via layout XML in OpenMage, a community-driven alternative to Magento CE. Attackers could achieve remote code execution on affected servers. Organizations using vulnerable OpenMage versions are affected.

💻 Affected Systems

Products:
  • OpenMage
Versions: All versions before 19.4.10 and 20.0.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires administrator with import/export data and edit CMS pages permissions

📦 What is this software?

Openmage by Openmage

View all CVEs affecting Openmage →

Openmage by Openmage

View all CVEs affecting Openmage →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data theft, malware deployment, or complete system takeover via remote code execution.

🟠

Likely Case

Privileged administrator account compromise leading to website defacement, data exfiltration, or backdoor installation.

🟢

If Mitigated

Limited impact if proper access controls and monitoring are in place, potentially only affecting specific CMS pages.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires authenticated administrator access with specific permissions

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 19.4.10 or 20.0.5

Vendor Advisory: https://github.com/OpenMage/magento-lts/security/advisories/GHSA-52c6-6v3v-f3fg

Restart Required: No

Instructions:

1. Backup your OpenMage installation and database. 2. Update to OpenMage version 19.4.10 or 20.0.5. 3. Clear cache and recompile if necessary. 4. Verify the fix by checking version.

🔧 Temporary Workarounds

Restrict Administrator Permissions

all

Remove import/export data and edit CMS pages permissions from administrators who don't need them

Implement Web Application Firewall

all

Deploy WAF rules to block XML injection attempts and file uploads via layout XML

🧯 If You Can't Patch

  • Implement strict access controls and least privilege for administrator accounts
  • Monitor and audit administrator activities, especially import/export and CMS editing operations

🔍 How to Verify

Check if Vulnerable:

Check OpenMage version in admin panel or via composer.json. If version is below 19.4.10 or 20.0.5, system is vulnerable.

Check Version:

php bin/magento --version

Verify Fix Applied:

Verify OpenMage version is 19.4.10 or higher (for 19.x branch) or 20.0.5 or higher (for 20.x branch).

📡 Detection & Monitoring

Log Indicators:

  • Unusual administrator activity with import/export functions
  • Suspicious XML uploads or modifications to layout XML files
  • File creation in unexpected directories

Network Indicators:

  • Unusual outbound connections from web server
  • File uploads to admin endpoints

SIEM Query:

source="web_access.log" AND (uri="/admin/*/import" OR uri="/admin/*/export") AND status=200

📊 Metadata

CVE ID: CVE-2020-26295
CVSS v3 Score: 8.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
CWE: CWE-22
Published: January 21, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-26295, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)