Data Flow Sanitation Issue Fix
Description
OpenMage magento-lts is an alternative to the Magento CE official releases. Due to missing sanitation in data flow in versions prior to 19.4.15 and 20.0.13, it was possible for admin users to upload arbitrary executable files to the server. OpenMage versions 19.4.15 and 20.0.13 have a patch for this Issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Admin users in OpenMage magento-lts before 19.4.15 and 20.0.13 can upload arbitrary executable files due to missing data flow sanitation.
Vulnerability
OpenMage magento-lts versions prior to 19.4.15 and 20.0.13 contain a data flow sanitation flaw that allows admin users to upload arbitrary executable files to the server [1][4]. The issue resides in file upload functionality where insufficient filtering enables upload of files with executable extensions.
Exploitation
An authenticated admin user with file upload permissions can craft a malicious file (e.g., a PHP web shell) and upload it through the admin panel. No additional privileges or user interaction is required beyond standard admin access [4].
Impact
Successful exploitation leads to arbitrary code execution on the server as the web server user, resulting in full compromise of the application and potentially the underlying system [1][4]. This could lead to data theft, further lateral movement, or persistent backdoor access.
Mitigation
The vulnerability is fixed in OpenMage magento-lts versions 19.4.15 and 20.0.13, released on August 26-27, 2021 [2][3]. Users should upgrade immediately. No workarounds have been disclosed. The CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openmage/magento-ltsPackagist | < 19.4.15 | 19.4.15 |
openmage/magento-ltsPackagist | >= 20.0.0, < 20.0.13 | 20.0.13 |
Affected products
2- OpenMage/magento-ltsv5Range: < 19.4.15
Patches
134709ac642d5Merge pull request from GHSA-xm9f-vxmx-4m58
1 file changed · +1 −1
app/code/core/Mage/Dataflow/Model/Convert/Adapter/Io.php+1 −1 modified@@ -49,7 +49,7 @@ public function getResource($forWrite = false) $isError = false; $ioConfig = $this->getVars(); - switch ($this->getVar('type', 'file')) { + switch (strtolower($this->getVar('type', 'file'))) { case 'file': //validate export/import path $path = rtrim($ioConfig['path'], '\\/')
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-xm9f-vxmx-4m58ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32759ghsaADVISORY
- github.com/OpenMage/magento-lts/commit/34709ac642d554aa1824892059186dd329db744bghsaWEB
- github.com/OpenMage/magento-lts/releases/tag/v19.4.15ghsax_refsource_MISCWEB
- github.com/OpenMage/magento-lts/releases/tag/v20.0.13ghsax_refsource_MISCWEB
- github.com/OpenMage/magento-lts/security/advisories/GHSA-xm9f-vxmx-4m58ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.