Description

In Magento to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification.

Remediation

References

CVE-2019-8231

Related Vulnerabilities

TYPO3 Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-4627)

Telerik Web UI Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2014-2217)

WordPress Plugin Shortlinks by Pretty Links-Best WordPress Link Tracking 'pretty-bar.php' Cross-Site Scripting (1.5.2)

YetiForce CRM Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2022-2829)

WordPress Plugin Product Slider for WooCommerce Security Bypass (2.5.6)

Severity

High

Classification

CVE-2019-8231 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities