Description
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create or edit a product can execute arbitrary code via malicious XML layout updates.
Remediation
References
Related Vulnerabilities
WordPress Plugin Donorbox-Free Recurring Donation Form Cross-Site Scripting (7.1.1)
Moodle Other Vulnerability (CVE-2015-3272)
Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2018-1135)
Undertow Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2020-1745)
Oracle Database Server CVE-2010-4413 Vulnerability (CVE-2010-4413)