CVE-2020-26285

CVE-2020-26285 aka Widget instances allow to inject an executable file vulnerability is a vulnerability in all Magento 1.x and OpenMage versions prior to v19.4.10 that allows administrator with permissions to import/export data and to create widget instances to inject an executable file on the server.

All Magento 1.x versions and OpenMage versions prior to 19.4.10 (20.0.6) are affected. The vulnerability is fixed in OpenMage v19.4.10 and patch was released on January 19, 2021.

Note: Install this and any other missing patches with our Magento patch installation service or upgrade to OpenMage LTS v19.4.15 (released on August 26, 2021).

Patch for CVE-2020-26285

The patch can be downloaded from Github: [https://github.com/OpenMage/magento-lts/commit/4132668f5009f17456fe644742026f56d2297586.patch]

diff --git a/app/code/core/Mage/Widget/Model/Widget/Instance.php b/app/code/core/Mage/Widget/Model/Widget/Instance.php
index 6cc5b5a76b..d09ce9fa74 100644
--- a/app/code/core/Mage/Widget/Model/Widget/Instance.php
+++ b/app/code/core/Mage/Widget/Model/Widget/Instance.php
@@ -495,6 +495,11 @@ public function getWidgetSupportedTemplatesByBlock($blockReference)
      */
     public function generateLayoutUpdateXml($blockReference, $templatePath = '')
     {
+      if ($templatePath !== htmlspecialchars($templatePath, ENT_QUOTES | ENT_HTML5)
+        || $blockReference !== htmlspecialchars($blockReference, ENT_QUOTES | ENT_HTML5)) {
+          Mage::throwException('Templatepath or block reference contain special characters.');
+      }
+
         $templateFilename = Mage::getSingleton('core/design_package')->getTemplateFilename($templatePath, array(
             '_area'    => $this->getArea(),
             '_package' => $this->getPackage(),