CVE-2021-21427

CVE-2021-21427, a blind SQL injection vulnerability in Search function (also known as CVE-2021-21024 or PRODSECBUG-2896 in Magento 2) is a vulnerability in Magento 1 and OpenMage. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required for successful exploitation.

Note: Install this and any other missing patches with our Magento patch installation service or upgrade to OpenMage LTS v19.4.15 (released on August 26, 2021).

Patch for CVE-2021-21427

Patch was backported from Magento 2 and included in OpenMage v19.4.13 and v20.0.10. The patch can be downloaded from Github: [https://github.com/OpenMage/magento-lts/commit/368a5857d0fc393c498b55c356448a5fabcb2119.patch]

diff --git a/lib/Varien/Db/Adapter/Pdo/Mysql.php b/lib/Varien/Db/Adapter/Pdo/Mysql.php
index 7e5a54633c..5a5ae13dff 100644
--- a/lib/Varien/Db/Adapter/Pdo/Mysql.php
+++ b/lib/Varien/Db/Adapter/Pdo/Mysql.php
@@ -3001,9 +3001,8 @@ public function prepareSqlCondition($fieldName, $condition)
      */
     protected function _prepareQuotedSqlCondition($text, $value, $fieldName)
     {
-        $sql = $this->quoteInto($text, $value);
-        $sql = str_replace('{{fieldName}}', $fieldName, $sql);
-        return $sql;
+      $text = str_replace('{{fieldName}}', $fieldName, $text);
+      return $this->quoteInto($text, $value);
     }
 
     /**

4.00 / 5 5
1 / 5
2 / 5
3 / 5
4 / 5
5 / 5

4 votes, 4.00 avg. rating (78% score)

Magentary

Magento 1.x Maintenance

Patch for CVE-2021-21427

Related Posts