All Magento 1.x versions and OpenMage versions prior to 19.4.10 (20.0.6) are affected. The vulnerability is fixed in OpenMage v19.4.10 and patch was released on January 19, 2021.
Note: Install this and any other missing patches with our Magento patch installation service or upgrade to OpenMage LTS v19.4.15 (released on August 26, 2021).
Patch for CVE-2020-26285
The patch can be downloaded from Github: [https://github.com/OpenMage/magento-lts/commit/4132668f5009f17456fe644742026f56d2297586.patch]diff --git a/app/code/core/Mage/Widget/Model/Widget/Instance.php b/app/code/core/Mage/Widget/Model/Widget/Instance.php index 6cc5b5a76b..d09ce9fa74 100644 --- a/app/code/core/Mage/Widget/Model/Widget/Instance.php +++ b/app/code/core/Mage/Widget/Model/Widget/Instance.php @@ -495,6 +495,11 @@ public function getWidgetSupportedTemplatesByBlock($blockReference) */ public function generateLayoutUpdateXml($blockReference, $templatePath = '') { + if ($templatePath !== htmlspecialchars($templatePath, ENT_QUOTES | ENT_HTML5) + || $blockReference !== htmlspecialchars($blockReference, ENT_QUOTES | ENT_HTML5)) { + Mage::throwException('Templatepath or block reference contain special characters.'); + } + $templateFilename = Mage::getSingleton('core/design_package')->getTemplateFilename($templatePath, array( '_area' => $this->getArea(), '_package' => $this->getPackage(),