Description

A security bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 that could be abused to execute arbitrary PHP code. An authenticated user can bypass security protections that prevent arbitrary PHP script upload via form data injection.

Remediation

References

CVE-2019-7871

Related Vulnerabilities

Grafana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-12099)

WordPress 5.5.x Multiple Vulnerabilities (5.5 - 5.5.3)

Envoy Proxy NULL Pointer Dereference Vulnerability (CVE-2024-23327)

Liferay Portal Generation of Error Message Containing Sensitive Information Vulnerability (CVE-2021-29040)

Plone CMS Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2013-4194)

Severity

High

Classification

CVE-2019-7871 CWE-94 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities