Description
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate CMS section of the website can trigger remote code execution via custom layout update.
Remediation
References
Related Vulnerabilities
WordPress Plugin Events Shortcodes For The Events Calendar Unspecified Vulnerability (1.7.2)
WordPress 4.3.x Same Origin Method Execution (SOME) Vulnerability (4.3 - 4.3.3)
WordPress Plugin All-in-One Video Gallery Local File Inclusion (2.4.9)
WordPress Plugin Cookie Information-Free GDPR Consent Solution Privilege Escalation (1.4.2)