Description
In Magento prior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit product attributes can execute arbitrary code through crafted layout updates.
Remediation
References
Related Vulnerabilities
WordPress Plugin Top 10-Popular posts for WordPress Multiple Vulnerabilities (3.2.3)
Jboss EAP Loop with Unreachable Exit Condition ('Infinite Loop') Vulnerability (CVE-2017-2670)
XWiki Other Vulnerability (CVE-2022-36090)
WordPress Plugin Connections Business Directory Unspecified Vulnerability (0.7.1.5)
Liferay DXP Incorrect Authorization Vulnerability (CVE-2025-62275)