Description

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to access shipment settings can execute arbitrary code via server-side request forgery.

Remediation

References

CVE-2019-7892

Related Vulnerabilities

Moodle Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2011-4292)

Joomla Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2009-1280)

MediaWiki Improper Access Control Vulnerability (CVE-2016-6331)

WordPress Plugin Structured Content (JSON-LD) #wpsc Cross-Site Scripting (1.5)

WordPress Plugin Photo Gallery by 10Web-Mobile-Friendly Image Gallery Directory Traversal (1.3.42)

Severity

High

Classification

CVE-2019-7892 CWE-918 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities