CVE-2019-8126 — XML External Entity (XXE) Injection in Magento

CWE-611 — XML External Entity (XXE) Injection CWE-776 — XML Entity Expansion4 documents4 sources

Severity

4.9MEDIUMNVD

EPSS

0.1%

top 70.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Magento Magento Community-edition Adobe Systems Incorporated Magento 2

Timeline

PublishedNov 5

Latest updateNov 12

Description

An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages3 packages

▶NVDmagento/magento2.2.0 — 2.2.10+2

▶Packagistmagento/community-edition2.2 — 2.2.10+1

▶CVEListV5adobe_systems_incorporated/magento_2Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1+1

Patches

Patch: magento.com ↗Patch: magento.com ↗

🔴Vulnerability Details

GHSA

Information disclosure through processing of external XML entities↗2019-11-12

▶

OSV

Information disclosure through processing of external XML entities↗2019-11-12

▶

CVEList

CVE-2019-8126: An XML entity injection vulnerability exists in Magento 2↗2019-11-05

▶