CVE-2015-1399

Name of the Vulnerable Software and Affected Versions Magento Community Edition (CE) version 1.9.1.0 Magento Enterprise Edition (EE) version 1.14.1.0

Description A remote file inclusion issue exists in the fetchView function within the Mage Core Block Template Zend class, allowing remote administrators to execute arbitrary PHP code. This is achieved via a URL in unspecified vectors involving the setScriptPath function. It is unclear whether this issue crosses privilege boundaries, as administrators may already have privileges to include arbitrary files.

Recommendations For Magento Community Edition (CE) version 1.9.1.0, consider disabling the fetchView function in the Mage Core Block Template Zend class as a temporary workaround until a patch is available. For Magento Enterprise Edition (EE) version 1.14.1.0, restrict access to the setScriptPath function to minimize the risk of exploitation.