N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-cv25-3pxr-4q7x

EPSS Score

CWE

Published

5/15/2024

Updated

5/15/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-cv25-3pxr-4q7x

GHSA-cv25-3pxr-4q7x:
Magento Open Source Security Advisory: Patch SUPEE-10975

Magento Commerce 1.14.4.0 and Open Source 1.9.4.0 have been enhanced with critical security updates to address multiple vulnerabilities, including remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF), and more. The following issues have been identified and remediated:

PRODSECBUG-1589: Stops Brute Force Requests via basic RSS authentication
MAG-23: M1 Credit Card Storage Capability
PRODSECBUG-2149: Authenticated RCE using customer import
PRODSECBUG-2159: API Based RCE Vulnerability
PRODSECBUG-2156: RCE Via Unauthorized Upload
PRODSECBUG-2155: Authenticated RCE using dataflow
PRODSECBUG-2053: Prevents XSS in Newsletter Template
PRODSECBUG-2142: XSS in CMS Preview
PRODSECBUG-1860: Admin Account XSS Attack Cessation via Filename
PRODSECBUG-2119: EE Patch to include names in templates
PRODSECBUG-2129: XSS in Google Analytics Vulnerability
PRODSECBUG-2019: Merchant Wishlist Security Strengthening
PRODSECBUG-2104: Send to a Friend Vulnerability
PRODSECBUG-2125: CSRF on deletion of Blocks Vulnerability
PRODSECBUG-2088: CSRF Vulnerability related to Customer Group Deletion
PRODSECBUG-2140: CSRF on deletion of Site Map
PRODSECBUG-2108: Outdated jQuery causing PCI scanning failures
MAG-12, MAG-2: Encryption Keys Stored in Plain Text
PRODSECBUG-2141: Unauthorized Admin Panel Bypass

Patching and Upgrading:

Patches and upgrades are available for the following Magento versions:

Magento Commerce 1.9.0.0-1.14.4.0: Apply SUPEE-10975 or upgrade to Magento Commerce 1.14.4.0. Magento Open Source 1.5.0.0-1.9.4.0: Apply SUPEE-10975 or upgrade to Magento Open Source 1.9.4.0.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-cv25-3pxr-4q7x

EPSS Score

CWE

Published

5/15/2024

Updated

5/15/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
magento/community-edition	composer	>= 1.9.0.0, < 1.14.4.0	1.14.4.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Key vulnerabilities were identified through pattern matching against Magento's architecture and common exploit vectors:

RCE vulnerabilities consistently involved unsafe unserialization patterns in dataflow/customer import modules
XSS issues mapped to admin controllers rendering user-controlled data without escaping
CSRF gaps matched controller actions missing form key validation
Confidence levels reflect alignment with Magento's code structure and vulnerability descriptions, though lack of direct code access introduces medium uncertainty for some entries

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M***nto *omm*r** *.**.*.* *n* Op*n Sour** *.*.*.* **v* ***n *n**n*** wit* *riti**l s**urity up**t*s to ***r*ss multipl* vuln*r**iliti*s, in*lu*in* r*mot* *o** *x**ution (R**), *ross-sit* s*riptin* (XSS), *ross-sit* r*qu*st *or**ry (*SR*), *n* mor*. T

Reasoning

K*y vuln*r**iliti*s w*r* i**nti*i** t*rou** p*tt*rn m*t**in* ***inst M***nto's *r**it**tur* *n* *ommon *xploit v**tors: *. R** vuln*r**iliti*s *onsist*ntly involv** uns*** uns*ri*liz*tion p*tt*rns in **t**low/*ustom*r import mo*ul*s *. XSS issu*s m*p

N/A

Basic Information

Concerned about an active attack path?

GHSA-cv25-3pxr-4q7x: Magento Open Source Security Advisory: Patch SUPEE-10975

Patching and Upgrading:

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-cv25-3pxr-4q7x:
Magento Open Source Security Advisory: Patch SUPEE-10975

Vulnerability Intelligence
Miggo AI