CVE-2026-25523
MEDIUM5.3EPSS 0.01%Magento's X-Original-Url header can expose admin url
發布日:2026/2/2修改日:2026/2/10
描述
### Impact The admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations. ### Patches The bug comes from the Zend library and is patche by unsetting the header in the bootstrap process. ### Workarounds Unset the `X-Original-Url` header in the web server configuration. ### References The activation of these headers is coming from the Zend_Controller module. It appears this has been known to some degree since 2016 - https://peterocallaghan.co.uk/2016/12/magento-poisoning-cache/ (dead link now..) ### Credit Anees Hyder ( @anees0xdev ) via HackerOne https://hackerone.com/anees0x_dev/hacktivity
受影響套件(1)
- Packagist/openmage/magento-ltsfrom 0, < 20.16.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |