CVE-2021-41144: 
PHP vulnerability analysis and mitigation

OpenMage LTS, an e-commerce platform, was found to contain a vulnerability (CVE-2021-41144) where a layout block could bypass the block blacklist to execute remote code. This vulnerability affected versions prior to 19.4.22 and 20.0.19. The issue was patched in versions 19.4.22 and 20.0.19 (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. It is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command - 'Command Injection'). The vulnerability allowed authenticated users to execute remote code through layout updates (NVD).

The vulnerability could lead to remote code execution on affected systems, potentially allowing attackers to gain unauthorized access, modify data, or execute arbitrary commands. The high CVSS score indicates severe potential impacts on system confidentiality, integrity, and availability (NVD).

The vulnerability has been patched in OpenMage LTS versions 19.4.22 and 20.0.19. Users are advised to upgrade to these or later versions to protect against this security issue (GitHub Release).