Description
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to layouts can execute arbitrary code through a combination of product import, crafted csv file and XML layout update.
Remediation
References
Related Vulnerabilities
WordPress Plugin Constant Contact Forms Cross-Site Scripting (1.8.7)
WordPress Plugin Wordfence Security-Firewall & Malware Scan Cross-Site Scripting (5.1.2)
OpenSSL Permissions, Privileges, and Access Controls Vulnerability (CVE-2011-1473)
MySQL CVE-2015-2573 Vulnerability (CVE-2015-2573)
WordPress Plugin WP Photo Album 'id' Parameter Cross-Site Scripting (1.5.1)