PT-2019-18890 · Adobe · Magento
Published
2019-11-05
·
Updated
2022-05-24
·
CVE-2019-8114
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Magento 1 versions prior to 1.9.4.3
Magento 1 versions prior to 1.14.4.3
Magento 2.2 versions prior to 2.2.10
Magento 2.3 versions prior to 2.3.3
Magento 2.3 versions prior to 2.3.2-p1
Description
A remote code execution issue exists, allowing an authenticated user with admin privileges to import features to execute arbitrary code via a crafted configuration archive file upload.
Recommendations
For Magento 1 versions prior to 1.9.4.3, update to version 1.9.4.3 or later.
For Magento 1 versions prior to 1.14.4.3, update to version 1.14.4.3 or later.
For Magento 2.2 versions prior to 2.2.10, update to version 2.2.10 or later.
For Magento 2.3 versions prior to 2.3.3, update to version 2.3.3 or later.
For Magento 2.3 versions prior to 2.3.2-p1, update to version 2.3.2-p1 or later, then promptly upgrade to 2.3.2-p2.
Exploit
Fix
RCE
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Magento