github OpenMage/magento-lts v20.0.19

latest releases: v20.10.2, v20.10.1, v21.0.0-beta2...
21 months ago

This is an important security update release, it includes six security patches:

  • CVE-2021-21395 - GHSA-r3c9-9j5q-pwv4 - Reset Password not protected against well-timed CSRF
  • CVE-2021-41144 - GHSA-5j2g-3ph4-rgvm - Fix for authenticated remote code execution through layout update
  • CVE-2021-41143 - GHSA-5vpv-xmcj-9q85 - Fix for arbitrary file deletion in customer media allows for remote code execution
  • CVE-2021-41231 - GHSA-h632-p764-pjqm - DataFlow upload remote code execution vulnerability
  • CVE-2021-39217 - GHSA-c9q3-r4rv-mjm7 - Fix for arbitrary command execution in custom layout update through blocks
  • CVE-2023-23617 - GHSA-3p73-mm7v-4f6m - DoS vulnerability in MaliciousCode filter

All of these updates should be totally backward compatible, except one, CVE-2021-21395 - GHSA-r3c9-9j5q-pwv4 - Reset Password not protected against well-timed CSRF in fact is a breaking change and you will need to take action after upgrading to this version of OpenMage.

Specifically, you will have to modify the customer/form/resetforgottenpassword.phtml file of your custom theme (in case you have customized it) and add this code <input name="form_key" type="hidden" value="<?php echo $this->getFormKey(); ?>" /> after the <form open tag. Please refer to this link in case you want to see how the patch works and copy/paste the simple solution.

In case your custom theme does not have the customer/form/resetforgottenpassword.phtml or in case you are not using a custom theme then you will not have to do the aforementioned procedure.

Don't miss a new magento-lts release

NewReleases is sending notifications on new releases.