Description
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with privileges to create products can craft custom layout update and use import product functionality to enable remote code execution.
Remediation
References
Related Vulnerabilities
WordPress Plugin Token Manager 'tid' Parameter Multiple Cross-Site Scripting Vulnerabilities (1.0.2)
MySQL CVE-2021-35625 Vulnerability (CVE-2021-35625)
WordPress Plugin Contact Bank-Contact Form Builder for WordPress Cross-Site Scripting (2.1.23)
WordPress Plugin WBW Currency Switcher for WooCommerce Cross-Site Scripting (1.6.5)
Ruby on Rails Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2019-5419)