Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-7139 — SQL Injection in Magento

CWE-89 — SQL Injection10 documents7 sources

Severity

9.8CRITICALNVD

EPSS

60.1%

top 1.72%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Magento Magento Community-edition Magento Commerce +1 more

Timeline

PublishedApr 10

Latest updateMay 24

Description

An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage. This issue is fixed in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶NVDmagento/magento1.14.0.0 — 1.14.4.1+4

▶Packagistmagento/community-edition2.1.0 — 2.1.18+2

▶CVEListV5magento/magentoprior to 2.1.17, prior to 2.2.8, prior to 2.3.1+2

▶CVEListV5magento/magento_commerceprior to 1.14.4.1

▶CVEListV5magento/magento_open_sourceprior to 1.9.4.1

🔴Vulnerability Details

GHSA

Magento 2 Community Edition SQLi Vulnerability↗2022-05-24

▶

OSV

Magento 2 Community Edition SQLi Vulnerability↗2022-05-24

▶

CVEList

CVE-2019-7139: An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage↗2019-04-10

▶

VulnCheck

magento magento Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')↗2019

▶

💥Exploits & PoCs

Nuclei

Magento - SQL Injection

▶

🕵️Threat Intelligence

Sentinelone

Vulnerability Assessment, Penetration Testing, and Redteaming↗2019-07-22

▶

Sentinelone

Vulnerability Assessment, Penetration Testing, and Redteaming↗2019-07-22

▶

Sentinelone

13 Common Ecommerce Security Threats and Solutions↗2019-07-15

▶

Sentinelone

13 Common Ecommerce Security Threats and Solutions↗2019-07-15

▶