Description

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with privileges to create products can craft custom layout update and use import product functionality to enable remote code execution.

Remediation

References

CVE-2019-8122

Related Vulnerabilities

WordPress Plugin Gallery for Social Photo Cross-Site Request Forgery (1.0.0.27)

Apache Traffic Server Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') Vulnerability (CVE-2020-1944)

WordPress Plugin Greg's High Performance SEO Cross-Site Scripting (1.6.1)

WordPress Plugin Jetpack-WP Security, Backup, Speed, & Growth Information Disclosure (9.7.1)

Django Improper Validation of Specified Quantity in Input Vulnerability (CVE-2023-43665)

Severity

High

Classification

CVE-2019-8122 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities