OpenMage LTS DataFlow upload remote code execution vulnerability
Description
OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, an administrator with the permissions to upload files via DataFlow and to create products was able to execute arbitrary code via the convert profile. Versions 19.4.22 and 20.0.19 contain a patch for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenMage LTS prior to 19.4.22 and 20.0.19 allowed admin with DataFlow upload and product creation permissions to execute arbitrary code via the convert profile.
Vulnerability
Overview
CVE-2021-41231 is a remote code execution vulnerability in OpenMage LTS, an open-source e-commerce platform. The issue affects versions prior to 19.4.22 and 20.0.19. An administrator who has permissions to upload files via DataFlow and to create products can exploit the convert profile to execute arbitrary code on the server [1][2].
Exploitation
Details
The vulnerability is triggered through the DataFlow import/export functionality combined with the product creation interface. An authenticated administrator uploads a specially crafted file via the DataFlow tool and then leverages the "convert profile" mechanism, which processes uploaded data, to inject and execute arbitrary PHP code [1][2][4]. The attack requires only standard administrative privileges for file upload and product management.
Impact
A successful exploit allows the attacker to execute arbitrary PHP code on the underlying server, potentially leading to full compromise of the e-commerce application, access to sensitive customer data, modification of orders or pricing, and further lateral movement within the hosting environment [1][4].
Mitigation
The vulnerability has been patched in OpenMage LTS versions 19.4.22 and 20.0.19 [1][2][4]. Users are strongly advised to upgrade immediately. No published workarounds exist, and the vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
References
[1] NVD - CVE-2021-41231 [2] OpenMage Advisory - DataFlow upload remote code execution vulnerability [4] Release v19.4.22 - OpenMage/magento-lts
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openmage/magento-ltsPackagist | < 19.4.22 | 19.4.22 |
openmage/magento-ltsPackagist | >= 20.0.0, < 20.0.19 | 20.0.19 |
Affected products
2- OpenMage/magento-ltsv5Range: < 19.4.22
Patches
1d16fc6c5a1e6Merge pull request from GHSA-h632-p764-pjqm
2 files changed · +14 −1
app/code/core/Mage/Catalog/Model/Product/Attribute/Backend/Media.php+6 −0 modified@@ -276,6 +276,12 @@ public function addImage( $move = false, $exclude = true ) { + if (strpos($file, chr(0)) !== false + || preg_match('#(^|[\\\\/])\.\.($|[\\\\/])#', $file) + ) { + throw new Exception('Detected malicious path or filename input.'); + } + $file = realpath($file); if (!$file || !file_exists($file)) {
lib/Varien/Io/File.php+8 −1 modified@@ -484,10 +484,17 @@ public function read($filename, $dest = null) * @param int $mode * * @return int|boolean + * @throws Exception */ public function write($filename, $src, $mode = null) { - if (!$this->_isValidSource($src) || !$this->_isFilenameWriteable($filename)) { + if (strpos($filename, chr(0)) !== false + || preg_match('#(^|[\\\\/])\.\.($|[\\\\/])#', $filename) + ) { + throw new Exception('Detected malicious path or filename input.'); + } + + if (!$this->_IsValidSource($src) || !$this->_isFilenameWriteable($filename)) { return false; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-h632-p764-pjqmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41231ghsaADVISORY
- github.com/OpenMage/magento-lts/commit/d16fc6c5a1e66c6f0d9f82020f11702a7ddd78e4ghsax_refsource_MISCWEB
- github.com/OpenMage/magento-lts/releases/tag/v19.4.22ghsax_refsource_MISCWEB
- github.com/OpenMage/magento-lts/releases/tag/v20.0.19ghsax_refsource_MISCWEB
- github.com/OpenMage/magento-lts/security/advisories/GHSA-h632-p764-pjqmghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.