Description
A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3. An authenticated admin user with privileges to access product attributes can leverage layout updates to trigger remote code execution.
Remediation
References
Related Vulnerabilities
WordPress Plugin Link Log-external link click monitor SQL Injection (2.0)
PostgreSQL Permissions, Privileges, and Access Controls Vulnerability (CVE-2016-3065)
WordPress Plugin Appointment Booking Calendar Cross-Site Scripting (1.3.34)
WordPress Plugin WP-Contact Multiple Cross-Site Scripting Vulnerabilities (1.0)
WordPress Plugin Mapplic-Custom Interactive Map Server-Side Request Forgery (6.1)