CVE-2015-6497

CWE-20Improper Input Validation4 documents4 sources
Severity
8.8HIGH
EPSS
2.7%
top 14.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Magento MagentoMagento Core
Timeline
PublishedJan 15
Latest updateMay 24

Description

The create function in app/code/core/Mage/Catalog/Model/Product/Api/V2.php in Magento Community Edition (CE) before 1.9.2.1 and Enterprise Edition (EE) before 1.14.2.1, when used with PHP before 5.4.24 or 5.5.8, allows remote authenticated users to execute arbitrary PHP code via the productData parameter to index.php/api/v2_soap.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

Packagistmagento/core< 1.9.2.1
NVDmagento/magento< 1.9.2.1+1

🔴Vulnerability Details

3
GHSA
Magento arbitrary PHP code execution via the productData parameter2022-05-24
OSV
Magento arbitrary PHP code execution via the productData parameter2022-05-24
CVEList
CVE-2015-6497: The create function in app/code/core/Mage/Catalog/Model/Product/Api/V22020-01-15
CVE-2015-6497 (HIGH CVSS 8.8) | The create function in app/code/cor | cvebase.io