The vulnerability was fixed in OpenMage v19.4.15 with the following patch:
diff --git a/app/code/core/Mage/Core/Helper/Security.php b/app/code/core/Mage/Core/Helper/Security.php index 00c4c53964..1eb2f08fb5 100644 --- a/app/code/core/Mage/Core/Helper/Security.php +++ b/app/code/core/Mage/Core/Helper/Security.php @@ -21,7 +21,10 @@ class Mage_Core_Helper_Security public function validateAgainstBlockMethodBlacklist(Mage_Core_Block_Abstract $block, $method, array $args) { foreach ($this->invalidBlockActions as $action) { - if ($block instanceof $action['block'] && strtolower($action['method']) === strtolower($method)) { + $calledMethod = strtolower($method); + if (($block instanceof $action['block'] && strtolower($action['method']) === $calledMethod) + || ($block instanceof $action['block'] + && strtolower($action['block'] . '::' . $action['method']) === $calledMethod)) { Mage::throwException( sprintf('Action with combination block %s and method %s is forbidden.', get_class($block), $method) );