Description

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to email templates can execute arbitrary code by previewing a malicious template.

Remediation

References

CVE-2019-7903

Related Vulnerabilities

Apache HTTP Server CVE-2002-0392 Vulnerability (CVE-2002-0392)

osCommerce Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2023-43717)

Atlassian Jira Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2019-14998)

Drupal Core 9.0.x Multiple Cross-Site Scripting Vulnerabilities (9.0.0 - 9.0.5)

PostgreSQL Incorrect Permission Assignment for Critical Resource Vulnerability (CVE-2018-1053)

Severity

High

Classification

CVE-2019-7903 CWE-94 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities