Description
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create or edit a product can execute arbitrary code via malicious XML layout updates.
Remediation
References
Related Vulnerabilities
WordPress Plugin GD bbPress Tools Cross-Site Scripting (1.7)
MySQL Other Vulnerability (CVE-2003-0150)
MySQL CVE-2016-0650 Vulnerability (CVE-2016-0650)
WordPress Plugin Gallery-Flagallery Photo Portfolio Cross-Site Request Forgery (3.01)
WordPress Plugin Genesis Columns Advanced Cross-Site Scripting (2.0.3)