Description

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to email templates can execute arbitrary code by previewing a malicious template.

Remediation

References

CVE-2019-7903

Related Vulnerabilities

MODX Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2010-4883)

WordPress Plugin MasterStudy LMS-for Online Courses and Education Local File Inclusion (3.3.3)

WordPress Plugin JS MultiHotel Cross-Site Scripting (2.2.1)

WordPress Plugin Custom Contact Forms Multiple Cross-Site Scripting Vulnerabilities (5.0.0.1)

Python NULL Pointer Dereference Vulnerability (CVE-2019-5010)

Severity

High

Classification

CVE-2019-7903 CWE-94 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities