CVE-2015-1397

Name of the Vulnerable Software and Affected Versions Magento Community Edition (CE) version 1.9.1.0 Magento Enterprise Edition (EE) version 1.14.1.0

Description The issue allows remote administrators to execute arbitrary SQL commands. This is achieved via the popularity[field expr] parameter when either the popularity[from] or popularity[to] parameter is set. The getCsvFile function in the Mage Adminhtml Block Widget Grid class is affected.

Recommendations For Magento Community Edition (CE) version 1.9.1.0, avoid using the popularity[field expr] parameter in the affected function until the issue is resolved. For Magento Enterprise Edition (EE) version 1.14.1.0, restrict access to the getCsvFile function in the Mage Adminhtml Block Widget Grid class to minimize the risk of exploitation.