Description

In Magento to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification.

Remediation

References

CVE-2019-8231

Related Vulnerabilities

WordPress Plugin 404 SEO Redirection Cross-Site Scripting (1.3)

MyBB Insertion of Sensitive Information into Log File Vulnerability (CVE-2015-8977)

Apache Tomcat Improperly Implemented Security Check for Standard Vulnerability (CVE-2017-15706)

WordPress Plugin WP-Forum 'forum_feed.php' SQL Injection (1.7.8)

WordPress Plugin Target First Live chat Unspecified Vulnerability (1.0)

Severity

High

Classification

CVE-2019-8231 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities