Highmark-Netalico

**Name of the Vulnerable Software and Affected Versions** OpenMage LTS versions prior to 19.4.22 OpenMage LTS versions prior to 20.0.19 **Description** The issue allows admin users to execute arbitrary commands via block methods in the Custom Layout feature. This is a significant problem as it can lead to unauthorized access and control of the e-commerce platform. **Recommendations** For versions prior to 19.4.22, update to version 19.4.22 or later to resolve the issue. For versions prior to 20.0.19, update to version 20.0.19 or later to resolve the issue. As a temporary workaround, consider disabling the Custom Layout feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** OpenMage LTS versions prior to 19.4.22 OpenMage LTS versions prior to 20.0.19 **Description** The issue affects OpenMage LTS, an e-commerce platform. Magento admin users with access to the customer media could execute code on the server. **Recommendations** For versions prior to 19.4.22, update to version 19.4.22 or later. For versions prior to 20.0.19, update to version 20.0.19 or later.

**Name of the Vulnerable Software and Affected Versions** OpenMage LTS versions prior to 19.4.22 OpenMage LTS versions prior to 20.0.19 **Description** The issue allows a layout block to bypass the block blacklist, enabling the execution of remote code. This is a significant problem for an e-commerce platform like OpenMage LTS. **Recommendations** For versions prior to 19.4.22, update to version 19.4.22 or later to resolve the issue. For versions prior to 20.0.19, update to version 20.0.19 or later to resolve the issue. As a temporary workaround, consider restricting access to layout blocks until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** OpenMage Magento LTS versions prior to 19.4.15 OpenMage Magento LTS versions prior to 20.0.11 **Description** The issue allows admin users to execute arbitrary commands via block methods when layout XML is enabled. This can be exploited by admin users, potentially leading to unauthorized access and command execution. **Recommendations** For versions prior to 19.4.15, update to version 19.4.15 or later. For versions prior to 20.0.11, update to version 20.0.11 or later.

**Name of the Vulnerable Software and Affected Versions** OpenMage versions prior to 19.4.15 OpenMage versions prior to 20.0.13 **Description** The issue is due to missing sanitation in data flow, allowing admin users to upload arbitrary executable files to the server. **Recommendations** For versions prior to 19.4.15, update to version 19.4.15 or later to resolve the issue. For versions prior to 20.0.13, update to version 20.0.13 or later to resolve the issue.