Description
An arbitrary file access vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage file upload controller for downloadable products to read/delete an arbitary files.
Remediation
References
Related Vulnerabilities
Plone CMS Permissions, Privileges, and Access Controls Vulnerability (CVE-2011-1950)
Dolibarr Files or Directories Accessible to External Parties Vulnerability (CVE-2023-33568)
Internet Information Services Other Vulnerability (CVE-1999-1376)
WordPress Plugin Namaste! LMS Cross-Site Scripting (2.5.9.4)