Description

The create function in app/code/core/Mage/Catalog/Model/Product/Api/V2.php in Magento Community Edition (CE) before 1.9.2.1 and Enterprise Edition (EE) before 1.14.2.1, when used with PHP before 5.4.24 or 5.5.8, allows remote authenticated users to execute arbitrary PHP code via the productData parameter to index.php/api/v2_soap.

Remediation

References

CVE-2015-6497

Related Vulnerabilities

MySQL CVE-2022-21278 Vulnerability (CVE-2022-21278)

WordPress Plugin WP Cerber Security, Anti-spam & Malware Scan Security Bypass (9.3.2)

Moodle Improper Authentication Vulnerability (CVE-2018-1082)

WordPress Plugin 10Web Map Builder for Google Maps Cross-Site Scripting (1.0.69)

WordPress Plugin RSS Includes Pages Cross-Site Scripting (3.6)

Severity

High

Classification

CVE-2015-6497 CWE-20 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities