Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1tdzV3LWNmNzYtNzNtOM4AAhkx

Magento 2 Community Edition RCE Vulnerability

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to layouts can execute arbitrary code through a crafted XML layout update.

Permalink: https://github.com/advisories/GHSA-mw5w-cf76-73m8
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tdzV3LWNmNzYtNzNtOM4AAhkx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 17 days ago


CVSS Score: 7.2
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-mw5w-cf76-73m8, CVE-2019-7895
References:

Affected Packages

packagist:magento/community-edition
Versions: >= 2.3, < 2.3.2, >= 2.2, < 2.2.9, >= 2.1, < 2.1.18
Fixed in: 2.3.2, 2.2.9, 2.1.18