Description
An unrestricted file upload vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can manipulate the Synchronization feature in the Media File Storage of the database to transform uploaded JPEG file into a PHP file.
Remediation
References
Related Vulnerabilities
WordPress Plugin Custom Background 'uploadify.php' Arbitrary File Upload (1.01)
MySQL CVE-2020-2853 Vulnerability (CVE-2020-2853)
Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-1834)
WordPress Plugin Alphabetic Pagination Security Bypass (3.0.7)
WordPress Plugin Customify-Intuitive Website Styling Cross-Site Request Forgery (2.10.4)