Description

In Magento to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification.

Remediation

References

CVE-2019-8231

Related Vulnerabilities

MyBB CVE-2006-0218 Vulnerability (CVE-2006-0218)

WordPress Plugin 3D Banner Rotator 'upload.php' Arbitrary File Upload (2.1)

WordPress Plugin OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer) Supply Chain Attack [Polyfill.io] (1.1.2)

Magento CVE-2019-8123 Vulnerability (CVE-2019-8123)

Serendipity Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2016-10752)

Severity

High

Classification

CVE-2019-8231 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities