CVE-2019-7942Code Injection in Magento

CWE-94Code Injection4 documents4 sources
Severity
7.2HIGHNVD
EPSS
0.9%
top 24.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
MagentoMagento Community-editionAdobe Systems Incorporated Magento 2
Timeline
PublishedAug 2
Latest updateMay 24

Description

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create or edit a product can execute arbitrary code via malicious XML layout updates.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

Packagistmagento/community-edition2.1.02.1.18+2
NVDmagento/magento2.1.02.1.18+2
CVEListV5adobe_systems_incorporated/magento_2Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2

🔴Vulnerability Details

3
GHSA
Magento 2 Community Edition RCE2022-05-24
OSV
Magento 2 Community Edition RCE2022-05-24
CVEList
CVE-2019-7942: A remote code execution vulnerability exists in Magento 22019-08-02
CVE-2019-7942 — Code Injection in Magento | cvebase