Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xcGM4LW0yeG0tOXc3Nc4AAimD
Magento Remote code execution through catalog attribute sets
In Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3, an authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification.
Permalink: https://github.com/advisories/GHSA-qpc8-m2xm-9w75JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xcGM4LW0yeG0tOXc3Nc4AAimD
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00085
EPSS Percentile: 0.37534
Identifiers: GHSA-qpc8-m2xm-9w75, CVE-2019-8231
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-8231
- https://magento.com/security/patches/supee-11219
- https://github.com/advisories/GHSA-qpc8-m2xm-9w75
Affected Packages
packagist:magento/core
Affected Version Ranges: < 1.9.4.3Fixed in: 1.9.4.3