PT-2019-18934 · Adobe · Magento

Published

2019-11-06

Updated

2022-05-24

CVE-2019-8158

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Magento 2.2 versions 2.2.0 through 2.2.9 Magento 2.3 versions 2.3.0 through 2.3.2

Description An XPath entity injection issue exists, allowing an attacker to craft a GET request to the page cache block rendering module. This request gets passed to the XML data processing engine without validation, enabling limited access to underlying XML data.

Recommendations For Magento 2.2 versions 2.2.0 through 2.2.9, update to version 2.2.10 or later. For Magento 2.3 versions 2.3.0 through 2.3.2, update to version 2.3.3 or 2.3.2-p2 if you have already implemented the pre-release version of this patch (2.3.2-p1).

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-91

Related Identifiers

CVE-2019-8158

GHSA-8P5C-F836-M4H7

Affected Products

Magento

PT-2019-18934 · Adobe · Magento

CVE-2019-8158

Weakness Enumeration

Related Identifiers

Affected Products

References · 8