Backport for CVE-2021-21024 Blind SQLi from Magento 2
Description
Magento-lts is a long-term support alternative to Magento Community Edition (CE). A vulnerability in magento-lts versions before 19.4.13 and 20.0.9 potentially allows an administrator unauthorized access to restricted resources. This is a backport of CVE-2021-21024. The vulnerability is patched in versions 19.4.13 and 20.0.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Magento-lts before 19.4.13 and 20.0.9 allows an administrator unauthorized access to restricted resources, a backport of CVE-2021-21024.
Vulnerability
Magento-lts, a long-term support alternative to Magento Community Edition (CE), contains a vulnerability in versions prior to 19.4.13 and 20.0.9 [1]. This issue is a backport of the Magento 2 vulnerability CVE-2021-21024, which involves a Blind SQL Injection [2]. An administrator can exploit this to gain unauthorized access to restricted resources. The affected code path is reachable under standard administrative configurations.
Exploitation
An attacker needs valid administrator credentials to trigger the vulnerability [1]. The exact sequence of steps is not detailed in the public references, but the vulnerability is categorized as a Blind SQL Injection, suggesting the attacker sends crafted SQL queries through input fields or parameters that are not properly sanitized, potentially using boolean or time-based techniques to extract data [2].
Impact
Successful exploitation allows an administrator to access restricted resources beyond their intended privilege scope [1][2]. This could lead to disclosure of sensitive data stored in the database (confidentiality impact) or potentially modification of data (integrity impact), though the primary impact described is unauthorized access to restricted resources.
Mitigation
The vulnerability is patched in versions 19.4.13 and 20.0.9 of magento-lts [1][2]. Users should upgrade to these versions as soon as possible. No workarounds are mentioned in the available references. There is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openmage/magento-ltsPackagist | < 19.4.13 | 19.4.13 |
openmage/magento-ltsPackagist | >= 20.0.0, < 20.0.9 | 20.0.9 |
Affected products
2- OpenMage/magento-ltsv5Range: <= 19.4.12
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-fvrf-9428-527mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21427ghsaADVISORY
- github.com/OpenMage/magento-lts/security/advisories/GHSA-fvrf-9428-527mghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.