CVE-2019-8158

Name of the Vulnerable Software and Affected Versions Magento 2.2 versions 2.2.0 through 2.2.9 Magento 2.3 versions 2.3.0 through 2.3.2

Description An XPath entity injection issue exists, allowing an attacker to craft a GET request to the page cache block rendering module. This request gets passed to the XML data processing engine without validation, enabling limited access to underlying XML data.

Recommendations For Magento 2.2 versions 2.2.0 through 2.2.9, update to version 2.2.10 or later. For Magento 2.3 versions 2.3.0 through 2.3.2, update to version 2.3.3 or 2.3.2-p2 if you have already implemented the pre-release version of this patch (2.3.2-p1).