Description

In Magento to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification.

Remediation

References

CVE-2019-8231

Related Vulnerabilities

WordPress Plugin WP CSV Unspecified Vulnerability (1.7.8.0)

WordPress Plugin Code Insert Manager (Q2W3 Inc Manager) ZeroClipboard Cross-Site Scripting (2.3.1)

Drupal Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2007-5594)

WordPress Plugin Allow REL= and HTML in Author Bios Cross-Site Scripting (.1)

WordPress Plugin AccessAlly Information Disclosure (3.5.6)

Severity

High

Classification

CVE-2019-8231 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities