Skip to main content

OpenMage LTS CVE-2026-42207

| EUVDEUVD-2026-30570 MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-05-05 https://github.com/OpenMage/magento-lts GHSA-qpgq-5g92-j5q8
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 05, 2026 - 21:01 vuln.today
Analysis Generated
May 05, 2026 - 21:01 vuln.today

DescriptionGitHub Advisory

Summary

Mage_ProductAlert_AddController::stockAction() reads the uenc query parameter and passes it directly to $this->_redirectUrl($backUrl) without calling $this->_isUrlInternal() When the supplied product_id does not match any catalog product, the server issues an unvalidated HTTP 302 redirect to whatever URL was provided as uenc.

Vulnerable path:

php
// app/code/core/Mage/ProductAlert/controllers/AddController.php : stockAction()

$backUrl = $this->getRequest()->getParam(Mage_Core_Controller_Front_Action::PARAM_NAME_URL_ENCODED);  // raw, no decode
$productId = (int) $this->getRequest()->getParam('product_id');

if (!$backUrl || !$productId) {
    $this->_redirect('/');
    return;
}

$product = Mage::getModel('catalog/product')->load($productId);

if (!$product->getId()) {
    $session->addError($this->__('Not enough parameters.'));
    $this->_redirectUrl($backUrl);   // ← NO _isUrlInternal() check
    return;
}

Secure peer (priceAction()):

php
if (!$product->getId()) {
    if ($this->_isUrlInternal($backUrl)) {  // ← validation present
        $this->_redirectUrl($backUrl);
    } else {
        $this->_redirect('/');
    }
    return;
}

Steps to Reproduce

Prerequisites

  • OpenMage LTS ≤ 20.16.0 with Product Alerts enabled (default configuration)
  • A valid, logged-in customer session on the target store
Step 1 - Authenticate as a Customer (Attacker controls the crafted link; victim must be logged in)

The preDispatch() hook calls Mage::getSingleton('customer/session')->authenticate($this). If the request comes from an unauthenticated user, they are redirected to the login page first. The open redirect only fires after the customer is authenticated. This is the realistic attack scenario: the attacker sends a crafted link to a customer who is already logged in.

<img width="1548" height="638" alt="image" src="https://github.com/user-attachments/assets/64c18279-ec0a-4110-b8f4-d952870e348c" />

Step 2 - Craft the Malicious URL

The uenc parameter is read raw via getParam() with no base64 decoding in this code path. A plain URL is sufficient and produces the redirect:

GET /productalert/add/stock/?product_id=99999&uenc=https://evil.com/steal-credentials HTTP/1.1
Host: <store-hostname>
Cookie: om_frontend=<authenticated-session>

Key conditions:

  • product_id must reference a non-existent product (triggers the vulnerable branch; any large ID works)
  • uenc is the raw destination URL (no base64 encoding required)

<img width="1554" height="852" alt="image" src="https://github.com/user-attachments/assets/d8530247-2d2f-4747-bf16-ece71a507b50" />

Impact

Technical Impact

An attacker who controls the uenc parameter value can redirect any logged-in shopper to an arbitrary external URL. Because the redirect originates from the legitimate store domain, the victim’s browser shows the trusted store URL in the address bar momentarily before being sent to the attacker site. The HTTP 302 response exits the store’s origin before the browser shows anything to the user.

Business-Level Attack Vectors

ScenarioDescription
Credential phishingCraft a link claiming to show a stock notification. Customer lands on attacker’s login clone and reuses their password.
OAuth / SSO token theftIf the store uses a social login or “Login with Google” flow, the attacker can inject their redirect_uri via the open redirect, stealing OAuth tokens.
Affiliate fraudRedirect customers from the legitimate store to a competing retailer after they click a “notify me” link.
Malware distributionRedirect to drive-by-download pages with the store’s reputation acting as social proof.

Propagation

A single malicious link can be embedded in:

  • Customer emails (“Click here for stock notification preferences”)
  • Forum posts, social media, or product reviews on the store
  • SEO-poisoned search results that rank the store’s domain

Recommended Fix

Apply the same _isUrlInternal() guard used in priceAction() to the stockAction() missing-product

This is an AI-generated report.

An attempt was made to test the same PoC against the online demo https://demo.openmage.org/ but it couldn't be reproduced. It was only reproduced against the local setup env against the latest version.

AnalysisAI

Open redirect vulnerability in OpenMage LTS through version 20.17.0 allows authenticated attackers to redirect logged-in customers to arbitrary external URLs via an unvalidated uenc parameter in the ProductAlert stockAction() controller. The vulnerability occurs when a non-existent product ID is supplied, bypassing the _isUrlInternal() validation check present in the analogous priceAction() method. Attackers can exploit this for credential phishing, OAuth token theft, affiliate fraud, or malware distribution by crafting a malicious link and distributing it via email, forums, or social media.

Technical ContextAI

OpenMage LTS is a community-maintained fork of Magento 1.x, a PHP-based e-commerce platform. The vulnerability exists in the Mage_ProductAlert_AddController::stockAction() method located in app/code/core/Mage/ProductAlert/controllers/AddController.php. The controller accepts a uenc (URL-encoded return URL) query parameter and a product_id parameter. When a user requests stock alerts for a product, the code retrieves the product from the catalog database. If the product does not exist (ID returns no match), the code calls _redirectUrl($backUrl) directly without first validating that the URL is internal to the store domain using the _isUrlInternal() method. This is a clear deviation from the secure pattern already implemented in the sibling priceAction() method within the same controller, where the _isUrlInternal() check is present. The root cause is CWE-601 (URL Redirection to Untrusted Site / Open Redirect), a classic control-flow bypass where user-supplied input directly influences redirect destinations without domain validation.

RemediationAI

Vendor-released patch: upgrade to OpenMage LTS version 20.18.0 or later. The fix applies the _isUrlInternal() validation guard to the stockAction() method, mirroring the secure pattern already present in priceAction(). If immediate patching is not possible, implement a temporary web application firewall (WAF) rule to block requests to /productalert/add/stock/ that contain a uenc parameter pointing to external domains - allow only uenc values matching the store's own domain or relative paths beginning with /. This mitigation eliminates the attack vector at the network perimeter but does not resolve the underlying code defect and may produce false positives if the store legitimately uses the uenc parameter for external redirects elsewhere. The most reliable short-term control is to disable the Product Alerts feature entirely via admin configuration (System > Configuration > Catalog > Product Alerts) if business requirements permit; this eliminates the vulnerable endpoint entirely. Communicate with customers that the stock notification feature will be temporarily offline during patching to avoid confusion. Apply the patch as soon as possible, as the vulnerability is publicly documented and proof-of-concept steps are available.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-42207 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy