Description
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create or edit a product can execute arbitrary code via malicious XML layout updates.
Remediation
References
Related Vulnerabilities
WordPress 4.3.x Multiple Vulnerabilities (4.3 - 4.3.23)
RubyGems Improper Input Validation Vulnerability (CVE-2017-0900)
WordPress Plugin Adicon Server SQL Injection (1.2)
WordPress Plugin Cookie Information-Free GDPR Consent Solution Privilege Escalation (1.4.2)
WordPress Plugin Disable Comments Cross-Site Request Forgery (1.0.3)