OpenMage LTS arbitrary file deletion in customer media allows for remote code execution
Description
OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, Magento admin users with access to the customer media could execute code on the server. Versions 19.4.22 and 20.0.19 contain a patch for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated admin users with customer media access can exploit arbitrary file deletion to execute remote code in OpenMage LTS before 19.4.22 and 20.0.19.
Vulnerability
Overview
CVE-2021-41143 describes an arbitrary file deletion vulnerability in OpenMage LTS, an e-commerce platform derived from Magento. The flaw resides in the customer media handling functionality, where an authenticated admin user with access to customer media could delete arbitrary files on the server. This file deletion capability can be leveraged to achieve remote code execution (RCE) by targeting critical system or application files. The vulnerability affects all versions prior to 19.4.22 and 20.0.19 [1].
Exploitation
Conditions
The attack requires authenticated admin-level access to the OpenMage admin panel, specifically the ability to manage customer media assets. An attacker with these privileges can craft requests to delete arbitrary files, such as configuration files, templates, or executable code. While the direct impact is file deletion, the security advisory (GHSA-5vpv-xmcj-9q85) notes that this can be chained with other actions to execute arbitrary code on the server [3]. No additional authentication or network position beyond admin access is needed, making it a serious internal threat.
Impact
Successful exploitation allows an attacker to delete arbitrary files, leading to remote code execution with the privileges of the web server user. This could result in full compromise of the e-commerce platform, including data exfiltration, site defacement, or further lateral movement within the infrastructure. The vulnerability is considered high severity due to the combination of low authentication requirements and high potential impact.
Mitigation
The issue is fixed in OpenMage LTS versions 19.4.22 and 20.0.19. The release notes for v20.0.19 confirm the patch as part of a security update bundle [4]. Users are strongly advised to upgrade immediately. There are no known workarounds; applying the update is the only complete mitigation.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openmage/magento-ltsPackagist | < 19.4.22 | 19.4.22 |
openmage/magento-ltsPackagist | >= 20.0.0, < 20.0.19 | 20.0.19 |
Affected products
2- OpenMage/magento-ltsv5Range: < 19.4.22
Patches
145330ff50439Merge pull request from GHSA-5vpv-xmcj-9q85
1 file changed · +5 −0
app/code/core/Mage/Cms/Model/Wysiwyg/Images/Storage.php+5 −0 modified@@ -233,6 +233,11 @@ public function deleteDirectory($path) $io->getFilteredPath($path) )); } + if (strpos($pathCmp, chr(0)) !== false + || preg_match('#(^|[\\\\/])\.\.($|[\\\\/])#', $pathCmp) + ) { + throw new Exception('Detected malicious path or filename input.'); + } if (Mage::helper('core/file_storage_database')->checkDbUsage()) { Mage::getModel('core/file_storage_directory_database')->deleteDirectory($path);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-5vpv-xmcj-9q85ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41143ghsaADVISORY
- github.com/OpenMage/magento-lts/commit/45330ff50439984e806992fa22c3f96c4d660f91ghsax_refsource_MISCWEB
- github.com/OpenMage/magento-lts/releases/tag/v19.4.22ghsax_refsource_MISCWEB
- github.com/OpenMage/magento-lts/releases/tag/v20.0.19ghsax_refsource_MISCWEB
- github.com/OpenMage/magento-lts/security/advisories/GHSA-5vpv-xmcj-9q85ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.