Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Magento Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2019-7903)

Description

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to email templates can execute arbitrary code by previewing a malicious template.

Remediation

References

Related Vulnerabilities

WordPress Plugin Wordpress Forms Multiple Vulnerabilities (0.2.7.1)

WordPress Plugin News Element Elementor Blog Magazine Local File Inclusion (1.0.5)

WordPress 4.2.x Multiple Vulnerabilities (4.2 - 4.2.21)

WordPress Plugin Elementor Website Builder Security Bypass (2.9.5)

WordPress Plugin Site Offline Or Coming Soon Or Maintenance Mode Cross-Site Request Forgery (1.4.3)

Severity

High

Classification

CVE-2019-7903 CWE-94 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities