Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xcDQzLTJ2aGYtY2o4Z84AAil1
Magento Remote code execution through support/output path modification
In Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3, an authenticated user with administrative privileges to edit configuration settings can execute arbitrary code through a crafted support/output path.
Permalink: https://github.com/advisories/GHSA-qp43-2vhf-cj8gJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xcDQzLTJ2aGYtY2o4Z84AAil1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-qp43-2vhf-cj8g, CVE-2019-8230
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-8230
- https://magento.com/security/patches/supee-11219
- https://github.com/advisories/GHSA-qp43-2vhf-cj8g
Affected Packages
packagist:magento/core
Affected Version Ranges: < 1.9.4.3Fixed in: 1.9.4.3