Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQyN2ctMnI4My0zY2Nt

Moderate EPSS: 0.00108% (0.30246 Percentile) EPSS:
Permalink JSON

Information disclosure through processing of external XML entities

Affected Packages Affected Versions Fixed Versions
packagist:magento/community-edition >= 2.3, < 2.3.2-p2, >= 2.2, < 2.2.10 2.3.2-p2, 2.2.10
13 Dependent packages
12 Dependent repositories
50,743 Downloads total

Affected Version Ranges

All affected versions

2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.3.0, 2.3.1

All unaffected versions

2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.1.17, 2.1.18, 2.2.10, 2.2.11, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8

An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure.

As per the Magento Release 2.3.3, if you have already implemented the pre-release version of this patch (2.3.2-p1), it is highly recommended to promptly upgrade to 2.3.2-p2.

References:

Identifiers

GHSA-427g-2r83-3ccm

CVE-2019-8126

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00108

EPSS Percentile: 0.30246

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Date and time

Published

almost 6 years ago

Updated

over 1 year ago

API

JSON