Description

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to access shipment settings can execute arbitrary code via server-side request forgery.

Remediation

References

CVE-2019-7892

Related Vulnerabilities

Sqlite Integer Overflow or Wraparound Vulnerability (CVE-2018-20506)

Joomla Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-9933)

Dolibarr Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2018-13450)

WordPress Plugin YITH Custom Thank You Page for Woocommerce Security Bypass (1.1.6)

WordPress Plugin Count per Day Information Disclosure (3.2.5)

Severity

High

Classification

CVE-2019-7892 CWE-918 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities