Description

The fetchView function in the Mage_Core_Block_Template_Zend class in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 does not restrict the stream wrapper used in a template path, which allows remote administrators to include and execute arbitrary PHP files via the phar:// stream wrapper, related to the setScriptPath function. NOTE: it is not clear whether this issue crosses privilege boundaries, since administrators might already have privileges to include arbitrary files.

Remediation

References

CVE-2015-3458

Related Vulnerabilities

Ruby Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2016-2339)

ownCloud Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-9049)

WordPress Plugin Dynamic Content for Elementor Remote Code Execution (1.9.5.6)

WordPress Plugin Mailster-Email Newsletter for WordPress Cross-Site Scripting (2.4.5.1)

WordPress Plugin Twitter Button by BestWebSoft Cross-Site Request Forgery (2.14)

Severity

Medium

Classification

CVE-2015-3458 CWE-264

Tags

Missing Update Known Vulnerabilities