Description
A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to import features can execute arbitrary code via crafted configuration archive file upload.
Remediation
References
Related Vulnerabilities
PHP Other Vulnerability (CVE-2004-1392)
WordPress Plugin VKontakte API Cross-Site Scripting (2.7)
WordPress Plugin Clever Addons for Elementor Multiple Cross-Site Scripting Vulnerabilities (2.0.15)
MySQL CVE-2017-3455 Vulnerability (CVE-2017-3455)
WordPress Plugin WP Live.php 's' Parameter Cross-Site Scripting (1.2.1)