Description
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate CMS section of the website can trigger remote code execution via custom layout update.
Remediation
References
Related Vulnerabilities
WordPress Plugin WP Telegram (Auto Post and Notifications) Unspecified Vulnerability (2.1.8)
e107 Permissions, Privileges, and Access Controls Vulnerability (CVE-2008-2020)
phpMyFAQ Sensitive Cookie in HTTPS Session Without 'Secure' Attribute Vulnerability (CVE-2023-5866)
WordPress Plugin Remove Yoast SEO comments Unspecified Vulnerability (1.0.4)