OpenMage LTS arbitrary command execution in custom layout update through blocks
Description
OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, Custom Layout enabled admin users to execute arbitrary commands via block methods. Versions 19.4.22 and 20.0.19 contain patches for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenMage LTS before 19.4.22 and 20.0.19 allows admin users to execute arbitrary commands through custom layout by abusing block methods.
Vulnerability
Overview
CVE-2021-39217 is a high-severity vulnerability in OpenMage LTS, an open-source e-commerce platform derived from Magento Community Edition. Prior to versions 19.4.22 and 20.0.19, the custom layout feature allowed authenticated admin users to execute arbitrary commands by supplying specially crafted block methods [1][2]. The root cause lies in insufficient validation of method calls within layout updates, enabling an attacker to bypass the intended blacklist of dangerous block actions.
Exploitation
Details
An admin user with access to the custom layout editing functionality can inject block directives that invoke arbitrary methods on blocks. The vulnerability specifically arises because the validation logic in Mage_Core_Helper_Abstract did not correctly parse method names containing a double colon (::), which could be used to circumvent the blacklist [4]. For example, a crafted layout update could call fetchView or render methods on blocks like Mage_Page_Block_Html_Topmenu_Renderer, which are not normally accessible, leading to arbitrary code execution [2][4]. No additional authentication beyond administrative credentials is required, as the functionality is available to users with admin-level permissions.
Impact
Successful exploitation allows an authenticated admin attacker to execute arbitrary operating system commands on the server, effectively gaining full control of the application and underlying infrastructure [1]. This could lead to data breaches, site defacement, or further lateral movement within the network.
Mitigation
The vulnerability has been patched in OpenMage LTS versions 19.4.22 and 20.0.19 [1][2]. The fix, implemented in commit 289bd4b, improves the blacklist validation by correctly parsing method calls that include a class prefix and blocks additional dangerous method combinations [4]. Users are strongly advised to update immediately, as no workarounds are publicly recommended.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openmage/magento-ltsPackagist | < 19.4.22 | 19.4.22 |
openmage/magento-ltsPackagist | >= 20.0.0, < 20.0.19 | 20.0.19 |
Affected products
2- OpenMage/magento-ltsv5Range: < 19.4.22
Patches
1289bd4b4f536Merge pull request from GHSA-c9q3-r4rv-mjm7
2 files changed · +14 −4
app/code/core/Mage/Core/Helper/Security.php+4 −4 modified@@ -43,10 +43,10 @@ public function validateAgainstBlockMethodBlacklist(Mage_Core_Block_Abstract $bl { foreach ($this->invalidBlockActions as $action) { $calledMethod = strtolower($method); - if (($block instanceof $action['block'] && strtolower($action['method']) === $calledMethod) - || ($block instanceof $action['block'] - && strtolower($action['block'] . '::' . $action['method']) === $calledMethod) - ) { + if (str_contains($calledMethod, '::')) { + $calledMethod = explode('::', $calledMethod)[1]; + } + if ($block instanceof $action['block'] && strtolower($action['method']) === $calledMethod) { Mage::throwException( sprintf('Action with combination block %s and method %s is forbidden.', get_class($block), $method) );
dev/tests/unit/Mage/Core/Helper/Security.php+10 −0 modified@@ -65,11 +65,21 @@ public function forbiddenBlockMethodsDataProvider() 'Mage_Core_Block_Template::fetchView', [] ], + [ + $topmenu, + 'Mage_Page_Block_Html_Topmenu_Renderer::fetchView', + [] + ], 'parent class name is passed as second arg' => [ $topmenu, 'Mage_Core_Block_Template::fetchView', [] ], + 'parent class name is passed as second arg2' => [ + $topmenu, + 'Mage_Core_Block_Template::render', + [] + ], ]; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-c9q3-r4rv-mjm7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-39217ghsaADVISORY
- github.com/OpenMage/magento-lts/commit/289bd4b4f53622138e3e5c2d2cef7502d780086fghsax_refsource_MISCWEB
- github.com/OpenMage/magento-lts/releases/tag/v19.4.22ghsax_refsource_MISCWEB
- github.com/OpenMage/magento-lts/releases/tag/v20.0.19ghsax_refsource_MISCWEB
- github.com/OpenMage/magento-lts/security/advisories/GHSA-c9q3-r4rv-mjm7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.