CVE-2019-8134
published 2019-11-06CVE-2019-8134: A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with marketing privileges can execute…
PriorityP352high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.00%
58.5th percentile
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with marketing privileges can execute arbitrary SQL queries in the database when accessing email template variables.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe_systems_incorporated | magento_2 | — | — |
| adobe_systems_incorporated | magento_2 | — | — |
| magento | community-edition | >= 2.2 < 2.2.10 | 2.2.10 |
| magento | community-edition | >= 2.3 < 2.3.2-p1 | 2.3.2-p1 |
| magento | magento | — | — |
| magento | magento | >= 2.2.0 < 2.2.10 | 2.2.10 |
| magento | magento | >= 2.3.0 < 2.3.2 | 2.3.2 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Magento SQL injection via marketing account with access to email templates variables
ghsa·2022-05-24
CVE-2019-8134 [HIGH] CWE-89 Magento SQL injection via marketing account with access to email templates variables
Magento SQL injection via marketing account with access to email templates variables
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with marketing privileges can execute arbitrary SQL queries in the database when accessing email template variables.
OSV
Magento SQL injection via marketing account with access to email templates variables
osv·2022-05-24
CVE-2019-8134 [HIGH] Magento SQL injection via marketing account with access to email templates variables
Magento SQL injection via marketing account with access to email templates variables
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with marketing privileges can execute arbitrary SQL queries in the database when accessing email template variables.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2019-11-06
Published