Description

A security bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 that could be abused to execute arbitrary PHP code. An authenticated user can bypass security protections that prevent arbitrary PHP script upload via form data injection.

Remediation

References

CVE-2019-7871

Related Vulnerabilities

WordPress 4.3.x Same Origin Method Execution (SOME) Vulnerability (4.3 - 4.3.3)

Nexus Repository Manager Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability (CVE-2021-43961)

WordPress Plugin Migration, Backup, Staging-WPvivid Directory Traversal (0.9.75)

MySQL CVE-2021-2055 Vulnerability (CVE-2021-2055)

WordPress Plugin FormBuilder Multiple Vulnerabilities (1.05)

Severity

High

Classification

CVE-2019-7871 CWE-94 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities