Description

An arbitrary file access vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage file upload controller for downloadable products to read/delete an arbitary files.

Remediation

References

CVE-2019-8093

Related Vulnerabilities

WordPress Plugin NextGEN Gallery-WordPress Gallery Security Bypass (3.1.6)

Joomla! Core 3.x.x Directory Traversal (3.2.0 - 3.4.5)

MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2018-13258)

Drupal Core 8.x Multiple Security Bypass Vulnerabilities (8.0.0 - 8.3.6)

Joomla Other Vulnerability (CVE-2005-3771)

Severity

High

Classification

CVE-2019-8093 CWE-434 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities