CVE-2019-8154

Name of the Vulnerable Software and Affected Versions Magento versions 2.2 prior to 2.2.10 Magento versions 2.3 prior to 2.3.3 or 2.3.2-p1 Magento versions prior to 3.1.2

Description A remote code execution vulnerability exists, allowing an authenticated user with privileges to modify product catalogs to trigger PHP file inclusion through a crafted XML file that specifies product design update. This issue can be exploited by including malicious PHP files.

Recommendations For Magento 2.2 prior to 2.2.10, update to version 2.2.10 or later. For Magento 2.3 prior to 2.3.3 or 2.3.2-p1, update to version 2.3.3 or 2.3.2-p2. For Magento versions prior to 3.1.2, update to version 3.1.2 or later. As a temporary workaround, consider restricting access to product catalog modification privileges to minimize the risk of exploitation.