Description

An SQL injection vulnerability has been identified in pre-2.3.1 Magento code. An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage.

To quickly protect your store from this vulnerability only, install patch PRODSECBUG-2198. To protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8.

Remediation

Upgrade to the latest version of Magento. Magento released version 2.3.1, along with patched versions for 2.2.x, 2.1.x, and 1.1.

References

Magento 2.2.0 <= 2.3.0 Unauthenticated SQLI

Magento 2.3.1, 2.2.8 and 2.1.17 Security Update

Related Vulnerabilities

WordPress Plugin Poll, Survey, Questionnaire and Voting system SQL Injection (1.5.2)

WordPress Plugin MAZ Loader-Preloader Builder for WordPress SQL Injection (1.3.2)

WordPress Plugin Spam protection, AntiSpam, FireWall by CleanTalk SQL Injection (5.148)

WordPress Plugin AdRotate-Ad manager & AdSense Ads 'track' Parameter SQL Injection (3.6.5)

WordPress Plugin Visual Form Builder Multiple Vulnerabilities (2.8.2)

Severity

High

Classification

CVE-2019-7139 CWE-89 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Tags

SQL Injection