Unrated severityNVD Advisory· Published Apr 29, 2015· Updated May 6, 2026

CVE-2015-1398

Description

Multiple directory traversal vulnerabilities in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allow remote authenticated users to include and execute certain PHP files via (1) .. (dot dot) sequences in the PATH_INFO to index.php or (2) vectors involving a block value in the ___directive parameter to the Cms_Wysiwyg controller in the Adminhtml module, related to the blockDirective function and the auto loading mechanism. NOTE: vector 2 might not cross privilege boundaries, since administrators might already have the privileges to execute code and upload files.

Affected products

Magento/Magento2 versions
cpe:2.3:a:magento:magento:1.14.1.0:*:*:*:enterprise:*:*:*+ 1 more
- cpe:2.3:a:magento:magento:1.14.1.0:*:*:*:enterprise:*:*:*
- cpe:2.3:a:magento:magento:1.9.1.0:*:*:*:community:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

magento.com/blog/technical/critical-security-advisory-remote-code-execution-rce-vulnerabilitynvdPatchVendor Advisory
blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/nvdExploit
www.securitytracker.com/id/1032194nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.023
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000