PT-2019-18902 · Adobe · Magento

Published

2019-11-05

Updated

2021-07-21

CVE-2019-8126

CVSS v3.1

4.9

Medium

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Magento 2.2 versions prior to 2.2.10 Magento 2.3 versions prior to 2.3.3 or 2.3.2-p1

Description An XML entity injection issue exists, allowing an authenticated admin user to craft a document type definition for an XML representing XML layout. The crafted document type definition and XML layout enable the processing of external entities, which can lead to information disclosure.

Recommendations For Magento 2.2 versions prior to 2.2.10, update to version 2.2.10 or later. For Magento 2.3 versions prior to 2.3.3, update to version 2.3.3 or later. For Magento 2.3 version 2.3.2-p1, update to version 2.3.2-p2 or later.

Exploit

Fix

XML Entity Expansion

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-776CWE-611

Related Identifiers

CVE-2019-8126

GHSA-427G-2R83-3CCM

Affected Products

Magento

PT-2019-18902 · Adobe · Magento

CVE-2019-8126

Weakness Enumeration

Related Identifiers

Affected Products

References · 6