Description

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to email templates can execute arbitrary code by previewing a malicious template.

Remediation

References

CVE-2019-7903

Related Vulnerabilities

PHP Other Vulnerability (CVE-2007-3790)

Ruby on Rails CVE-2022-23634 Vulnerability (CVE-2022-23634)

WordPress Plugin Affiliate PRO Cross-Site Scripting (1.3.1)

MySQL CVE-2012-1689 Vulnerability (CVE-2012-1689)

WordPress Plugin iThemes Security (formerly Better WP Security) Cross-Site Scripting (3.2.4)

Severity

High

Classification

CVE-2019-7903 CWE-94 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities