Description

An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure.

Remediation

References

CVE-2019-8126

Related Vulnerabilities

WordPress Plugin Zeno Font Resizer Cross-Site Scripting (1.7.9)

JBoss Application Server Improper Privilege Management Vulnerability (CVE-2012-2312)

Sqlite Out-of-bounds Write Vulnerability (CVE-2020-15358)

WordPress Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2008-0195)

Wordpress Plugin Backup Migration CVE-2023-6271 Vulnerability (CVE-2023-6271)

Severity

Medium

Classification

CVE-2019-8126 CWE-776 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities