Description

In Magento to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification.

Remediation

References

CVE-2019-8231

Related Vulnerabilities

phpBB Improper Input Validation Vulnerability (CVE-2019-9826)

Moodle Improper Authentication Vulnerability (CVE-2010-1613)

WordPress Plugin Newsletter Subscription Form Possible Remote Code Execution (1.1.2)

WordPress Plugin WooCommerce Object Injection (2.3.10)

MyBB Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2021-27947)

Severity

High

Classification

CVE-2019-8231 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities