CVE-2019-7930 — Unrestricted File Upload in Magento

CWE-434 — Unrestricted File Upload4 documents4 sources

Severity

7.2HIGHNVD

EPSS

0.4%

top 39.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Magento Magento Community-edition Adobe Systems Incorporated Magento 2

Timeline

PublishedAug 2

Latest updateMay 24

Description

A file upload restriction bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to the import feature can make modifications to a configuration file, resulting in potentially unauthorized removal of file upload restrictions. This can result in arbitrary code execution when a malicious file is then uploaded and executed on the system.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5adobe_systems_incorporated/magento_2Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2

▶NVDmagento/magento2.1.0 — 2.1.18+2

▶Packagistmagento/community-edition2.1 — 2.1.18+2

🔴Vulnerability Details

GHSA

Magento 2 Community Unrestricted File Upload↗2022-05-24

▶

OSV

Magento 2 Community Unrestricted File Upload↗2022-05-24

▶

CVEList

CVE-2019-7930: A file upload restriction bypass exists in Magento 2↗2019-08-02

▶