Description

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to layouts can execute arbitrary code through a combination of product import, crafted csv file and XML layout update.

Remediation

References

CVE-2019-7896

Related Vulnerabilities

Roundcube Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-35730)

Apache Tomcat Insufficient Verification of Data Authenticity Vulnerability (CVE-2017-7674)

WordPress Plugin Easy Contact Form Solution Cross-Site Scripting (1.6)

WordPress Plugin Job Manager Multiple Cross-Site Scripting Vulnerabilities (0.7.18)

WordPress Plugin File Manager Unspecified Vulnerability (5.0.0)

Severity

High

Classification

CVE-2019-7896 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities