Description
In Magento prior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit product attributes can execute arbitrary code through crafted layout updates.
Remediation
References
Related Vulnerabilities
PHP NULL Pointer Dereference Vulnerability (CVE-2016-7130)
Drupal Core 7.x Multiple Cross-Site Scripting Vulnerabilities (7.0 - 7.85)
Drupal Core 4.6.x Multiple Cross-Site Scripting Vulnerabilities (4.6.0 - 4.6.9)
WordPress Plugin PI Button includes Backdoor [Only if downloaded via the vendor website] (3.3.3)