Description
In Magento prior to 1.9.4.3, Magento prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, and Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an authenticated user with administrative privileges for the import feature can execute arbitrary code through a race condition that allows webserver configuration file modification.
Remediation
References
Related Vulnerabilities
WordPress Plugin Slideshow Pro 'upload.php' Arbitrary File Upload (2.1)
WordPress Plugin Thank You Counter Button Cross-Site Scripting (1.8.2)
WordPress Plugin DM Albums File Dislosure (1.9.2)
TYPO3 Improper Restriction of XML External Entity Reference Vulnerability (CVE-2020-26229)
WordPress Plugin LearnPress-WordPress LMS PHP Object Injection (4.1.7.1)