Description
In Magento prior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit product attributes can execute arbitrary code through crafted layout updates.
Remediation
References
Related Vulnerabilities
WordPress Plugin Contact Form Integrated With Google Maps Cross-Site Scripting (2.4)
WordPress Plugin Task Manager Pro Multiple Vulnerabilities (1.3.1)
ReviveAdserver Improper Authentication Vulnerability (CVE-2016-9124)
MySQL CVE-2019-2530 Vulnerability (CVE-2019-2530)
PHP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2010-2531)