Description

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create or edit a product can execute arbitrary code via malicious XML layout updates.

Remediation

References

CVE-2019-7942

Related Vulnerabilities

WordPress Multiple Cross-Site Scripting Vulnerabilities (2.0.11 - 2.3)

PHP Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-5712)

XWiki Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability (CVE-2023-29512)

WordPress Plugin Product Catalog Multiple SQL Injection Vulnerabilities (2.1)

WordPress Plugin ProfileGrid-User Profiles, Groups and Communities Remote Code Execution (2.8.5)

Severity

High

Classification

CVE-2019-7942 CWE-94 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities