Description

In Magento to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification.

Remediation

References

CVE-2019-8231

Related Vulnerabilities

ownCloud Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-4752)

WordPress Plugin Global Flash Galleries Cross-Site Scripting (0.13.4)

Oracle JRE CVE-2013-0444 Vulnerability (CVE-2013-0444)

Joomla Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2020-15695)

WordPress Plugin Raygun4WP Cross-Site Scripting (1.8.0)

Severity

High

Classification

CVE-2019-8231 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities