Description
In Magento to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification.
Remediation
References
Related Vulnerabilities
WordPress Plugin WP-Optimize Multiple Vulnerabilities (1.8.9.9)
WordPress Plugin CM Pop-Up banners for WordPress SQL Injection (1.5.10)
MediaWiki Improper Access Control Vulnerability (CVE-2016-6336)
Apache HTTP Server Other Vulnerability (CVE-2004-1834)
WordPress Plugin Your Text Manager Cross-Site Scripting (0.3.0)