CVE-2021-21427, a
blind SQL injection vulnerability in Search function (also known as
CVE-2021-21024 or PRODSECBUG-2896 in Magento 2) is a vulnerability in Magento 1 and
OpenMage. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required for successful exploitation.
Note: Install this and any other missing patches with our Magento patch installation service or upgrade to OpenMage LTS v19.4.15 (released on August 26, 2021).
Patch for CVE-2021-21427
Patch was backported from Magento 2 and included in
OpenMage v19.4.13 and v20.0.10. The patch can be downloaded from Github: [
https://github.com/OpenMage/magento-lts/commit/368a5857d0fc393c498b55c356448a5fabcb2119.patch]
diff --git a/lib/Varien/Db/Adapter/Pdo/Mysql.php b/lib/Varien/Db/Adapter/Pdo/Mysql.php
index 7e5a54633c..5a5ae13dff 100644
--- a/lib/Varien/Db/Adapter/Pdo/Mysql.php
+++ b/lib/Varien/Db/Adapter/Pdo/Mysql.php
@@ -3001,9 +3001,8 @@ public function prepareSqlCondition($fieldName, $condition)
*/
protected function _prepareQuotedSqlCondition($text, $value, $fieldName)
{
- $sql = $this->quoteInto($text, $value);
- $sql = str_replace('{{fieldName}}', $fieldName, $sql);
- return $sql;
+ $text = str_replace('{{fieldName}}', $fieldName, $text);
+ return $this->quoteInto($text, $value);
}
/**
4 votes, 4.00 avg. rating (78% score)