How severe is GHSA-prpf-cj87-hwvr?

No CVSS score has been assigned to GHSA-prpf-cj87-hwvr yet. Review the advisory details and affected package list to assess your exposure.

Which packages are affected by GHSA-prpf-cj87-hwvr?

GHSA-prpf-cj87-hwvr affects the following packages: magento/community-edition (Packagist). Ecosystems affected: Packagist.

How do I fix GHSA-prpf-cj87-hwvr?

Update magento/community-edition to 1.9.3.9 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-prpf-cj87-hwvr is resolved across your whole dependency graph.

How do I detect GHSA-prpf-cj87-hwvr in my Packagist dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for magento/community-edition. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-prpf-cj87-hwvr if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-prpf-cj87-hwvr?

O3 pinpoints whether GHSA-prpf-cj87-hwvr is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-prpf-cj87-hwvr actively exploited in the wild?

No public exploit code has been indexed for GHSA-prpf-cj87-hwvr yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

When was GHSA-prpf-cj87-hwvr published, and has it been updated?

GHSA-prpf-cj87-hwvr was published on May 15, 2024 and was last updated on November 29, 2024. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

GHSA-prpf-cj87-hwvr: magento/community-edition Remote Code Exec…

Blast Radius

1 pkg affected

🐘magento/community-edition

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.

Description

Magento Commerce 1.14.3.9 and Open Source 1.9.3.9 bring essential security enhancements with Patch SUPEE-10752. These updates address various vulnerabilities, including authenticated Admin user remote code execution (RCE), cross-site request forgery (CSRF), and more.

Key Security Improvements:

APPSEC-2001: Authenticated Remote Code Execution (RCE) using custom layout XML
APPSEC-2015: Authenticated Remote Code Execution (RCE) through the Create New Order feature (Commerce only)
APPSEC-2042: PHP Object Injection and RCE in the Magento admin panel (Commerce Target Rule module)
APPSEC-2029: PHP Object Injection and Remote Code Execution (RCE) in the Admin panel (Commerce)
APPSEC-2007: Authenticated SQL Injection when saving a category
APPSEC-2027: CSRF is possible against Web sites, Stores, and Store Views
APPSEC-1882: The cron.php file can leak database credentials
APPSEC-2006: Stored cross-site scripting (XSS) through the Enterprise Logging extension
APPSEC-2005: Persistent Cross-Site Scripting (XSS) injection in Configuration table
APPSEC-1880: Cross-Site Scripting (XSS) through the Admin Username in the CMS Revision Editor (Commerce only)
APPSEC-2004: Cross-Site Scripting (XSS) through Remote File Inclusion
APPSEC-1988: Path traversal vulnerability in templates
APPSEC-1987: Reflective cross-site scripting (XSS) through filter manipulation
APPSEC-2034: XSS in Admin Create Order Configure Product Via Compatible File Extensions
APPSEC-1876: Cross-site scripting (XSS) in Admin Bundle Product Bundle Items Tab through Product SKU
APPSEC-1874: Cross-Site Scripting (XSS) in the Admin Gift Registry Type Edit via Attribute Group
APPSEC-1872: Cross-Site Scripting (XSS) in the Admin Manage Catalog Events list through category name
APPSEC-1928: Stored XSS in Downloadable Product Links title - frontend
APPSEC-1871: Cross-Site Scripting (XSS) in the Admin Manage Customer Rewards points history using the Reason field
APPSEC-1870: Cross-Site Scripting (XSS) in Admin Manage Invitations list through Invitee email address
APPSEC-1972/APPSEC-2103: Admin password change does not force the logout of the Admin user
APPSEC-1934: Systemic Cross-Site Request Forgery (CSRF) on the Checkout page
APPSEC-1917: Password theft though uploaded video and Auth Prompt password theft vulnerability
APPSEC-1993: IP spoofing

Patches and upgrades are available for the following Magento versions:

Magento Commerce 1.9.0.0-1.14.3.9: SUPEE-10752 or upgrade to Magento Commerce 1.14.3.9.
Magento Open Source 1.5.0.0-1.9.3.9: SUPEE-10752 or upgrade to Magento Open Source 1.9.3.9.

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
🐘Packagist	`magento/community-edition`	all versions	1.9.3.9

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for magento/community-edition. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update magento/community-edition to 1.9.3.9 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-prpf-cj87-hwvr is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-prpf-cj87-hwvr is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-prpf-cj87-hwvr. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

Magento Commerce 1.14.3.9 and Open Source 1.9.3.9 bring essential security enhancements with Patch SUPEE-10752. These updates address various vulnerabilities, including authenticated Admin user remote code execution (RCE), cross-site request forgery (CSRF), and more. Key Security Improvements: - APPSEC-2001: Authenticated Remote Code Execution (RCE) using custom layout XML - APPSEC-2015: Authenticated Remote Code Execution (RCE) through the Create New Order feature (Commerce only) - APPSEC-2042: PHP Object Injection and RCE in the Magento admin panel (Commerce Target Rule module) - APPSEC-20

O3 Security · Impact-Aware SCA

Is GHSA-prpf-cj87-hwvr in your dependencies?

O3 detects GHSA-prpf-cj87-hwvr across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works

GHSA-prpf-cj87-hwvr

Blast Radius

Description

Affected Packages

Detection & mitigation playbook

Detect

Fix

Workarounds

How O3 protects you

Frequently Asked Questions

Is GHSA-prpf-cj87-hwvr in your dependencies?