CVE-2015-1398

Name of the Vulnerable Software and Affected Versions Magento Community Edition versions 1.9.1.0 Magento Enterprise Edition versions 1.14.1.0

Description The issue allows remote authenticated users to include and execute certain PHP files. This can be achieved via .. (dot dot) sequences in the PATH INFO to index.php or through vectors involving a block value in the directive parameter to the Cms Wysiwyg controller in the Adminhtml module. The issue is related to the blockDirective function and the auto loading mechanism.

Recommendations For Magento Community Edition version 1.9.1.0, consider restricting access to the Adminhtml module until a patch is available. For Magento Enterprise Edition version 1.14.1.0, consider disabling the Cms Wysiwyg controller as a temporary workaround until a fix is provided. Avoid using the directive parameter in the Cms Wysiwyg controller until the issue is resolved.