Description
The create function in app/code/core/Mage/Catalog/Model/Product/Api/V2.php in Magento Community Edition (CE) before 1.9.2.1 and Enterprise Edition (EE) before 1.14.2.1, when used with PHP before 5.4.24 or 5.5.8, allows remote authenticated users to execute arbitrary PHP code via the productData parameter to index.php/api/v2_soap.
Remediation
References
Related Vulnerabilities
MySQL CVE-2022-21278 Vulnerability (CVE-2022-21278)
WordPress Plugin WP Cerber Security, Anti-spam & Malware Scan Security Bypass (9.3.2)
Moodle Improper Authentication Vulnerability (CVE-2018-1082)
WordPress Plugin 10Web Map Builder for Google Maps Cross-Site Scripting (1.0.69)
WordPress Plugin RSS Includes Pages Cross-Site Scripting (3.6)