CVE-2019-7861
published 2019-08-02CVE-2019-7861: Insufficient server-side validation of user input could allow an attacker to bypass file upload restrictions in Magento 2.1 prior to 2.1.18, Magento 2.2 prior…
PriorityP344high7.5CVSS 3.0
AVNACLPRNUINSUCNIHAN
EPSS
2.04%
78.8th percentile
Insufficient server-side validation of user input could allow an attacker to bypass file upload restrictions in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| magento | community-edition | >= 2.1.0 < 2.1.18 | 2.1.18 |
| magento | community-edition | >= 2.2.0 < 2.2.9 | 2.2.9 |
| magento | community-edition | >= 2.3.0 < 2.3.2 | 2.3.2 |
| magento | magento | >= 2.1.0 < 2.1.18 | 2.1.18 |
| magento | magento | >= 2.2.0 < 2.2.9 | 2.2.9 |
| magento | magento | >= 2.3.0 < 2.3.2 | 2.3.2 |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Magento 2 Community Edition Unsafe File Upload
osv·2022-05-24
CVE-2019-7861 [HIGH] Magento 2 Community Edition Unsafe File Upload
Magento 2 Community Edition Unsafe File Upload
Insufficient server-side validation of user input could allow an attacker to bypass file upload restrictions in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
GHSA
Magento 2 Community Edition Unsafe File Upload
ghsa·2022-05-24
CVE-2019-7861 [HIGH] CWE-434 Magento 2 Community Edition Unsafe File Upload
Magento 2 Community Edition Unsafe File Upload
Insufficient server-side validation of user input could allow an attacker to bypass file upload restrictions in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2019-08-02
Published