Skip to content

[GHSA-pgj4-g5j4-cmfx] cart2quote/module-quotation-encoded Remote Code Execution via downloadCustomOptionAction#8423

Open
sBatao wants to merge 1 commit into
sBatao/advisory-improvement-8423from
sBatao-GHSA-pgj4-g5j4-cmfx
Open

[GHSA-pgj4-g5j4-cmfx] cart2quote/module-quotation-encoded Remote Code Execution via downloadCustomOptionAction#8423
sBatao wants to merge 1 commit into
sBatao/advisory-improvement-8423from
sBatao-GHSA-pgj4-g5j4-cmfx

Conversation

@sBatao

@sBatao sBatao commented Jun 30, 2026

Copy link
Copy Markdown

Updates

  • Affected products
  • CVSS v3
  • Description
  • References
  • Severity

Comments
We would like to request a review of advisory GHSA-pgj4-g5j4-cmfx affecting the package cart2quote/module-quotation-encoded.

The vulnerability described in the advisory appears to relate to the legacy Magento 1 implementation of Cart2Quote. The advisory references Magento 1 file paths such as:

app/code/community/Ophirah/...

However, the Composer package cart2quote/module-quotation-encoded is a Magento 2 package, and these Magento 1 files are not present in the affected package versions.

As a result, the advisory appears to associate a Magento 1 vulnerability with Magento 2 package versions that do not contain the vulnerable code. The issue described in the advisory is therefore not applicable to the current Magento 2 codebase.

We kindly request that the advisory be reviewed and, if appropriate:

Remove the affected Magento 2 package association.
Correct the affected version ranges.
Withdraw the advisory if it does not apply to the package.

We are happy to provide additional information or code references if needed.

Thank you for your time and consideration.

Copilot stopped work on behalf of sBatao due to an error June 30, 2026 11:14
@github-actions github-actions Bot changed the base branch from main to sBatao/advisory-improvement-8423 June 30, 2026 11:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant