The vulnerability is fixed in OpenMage v19.4.15. The following patch is used to close the vulnerability:
diff --git a/app/code/core/Mage/Dataflow/Model/Convert/Adapter/Io.php b/app/code/core/Mage/Dataflow/Model/Convert/Adapter/Io.php index 60cdb9c98b..32a3380505 100644 --- a/app/code/core/Mage/Dataflow/Model/Convert/Adapter/Io.php +++ b/app/code/core/Mage/Dataflow/Model/Convert/Adapter/Io.php @@ -49,7 +49,7 @@ public function getResource($forWrite = false) $isError = false; $ioConfig = $this->getVars(); - switch ($this->getVar('type', 'file')) { + switch (strtolower($this->getVar('type', 'file'))) { case 'file': //validate export/import path $path = rtrim($ioConfig['path'], '\\/')