Description
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create or edit a product can execute arbitrary code via malicious XML layout updates.
Remediation
References
Related Vulnerabilities
Apache HTTP Server CVE-2018-1283 Vulnerability (CVE-2018-1283)
Drupal Permissions, Privileges, and Access Controls Vulnerability (CVE-2016-6211)
GlassFish CVE-2017-10393 Vulnerability (CVE-2017-10393)
WordPress Plugin ALO EasyMail Newsletter Multiple Cross-Site Scripting Vulnerabilities (2.4.7)
WordPress Plugin Download Theme Arbitrary Directory Download (1.0.2)