Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS12dmY5LWZ4aHYtNHJnas4AAhlY

Magento 2 Community Edition RCE

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create or edit a product can execute arbitrary code via malicious XML layout updates.

Permalink: https://github.com/advisories/GHSA-vvf9-fxhv-4rgj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12dmY5LWZ4aHYtNHJnas4AAhlY
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 9 days ago


CVSS Score: 7.2
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-vvf9-fxhv-4rgj, CVE-2019-7942
References:

Affected Packages

packagist:magento/community-edition
Versions: >= 2.3.0, < 2.3.2, >= 2.2.0, < 2.2.9, >= 2.1.0, < 2.1.18
Fixed in: 2.3.2, 2.2.9, 2.1.18