Exploitation Summary
CVE-2015-1398 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
Multiple directory traversal vulnerabilities in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allow remote authenticated users to include and execute certain PHP files via (1) .. (dot dot) sequences in the PATH_INFO to index.php or (2) vectors involving a block value in the ___directive parameter to the Cms_Wysiwyg controller in the Adminhtml module, related to the blockDirective function and the auto loading mechanism. NOTE: vector 2 might not cross privilege boundaries, since administrators might already have the privileges to execute code and upload files.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
http://magento.com/blog/technical/critical-security-advisory-remote-code-execution-rce-vulnerability
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1032194
Exploit x_refsource_misc
http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/
Scores
EPSS
0.2900
EPSS Percentile
96.6%
Details
VulnCheck KEV
2016-01-22
CWE
CWE-22
Status
published
Products (2)
magento/magento
1.9.1.0
magento/magento
1.14.1.0
Published
Apr 29, 2015
Tracked Since
Feb 18, 2026