Main Vulnerability Database Vulnerabilities #VU30668

#VU30668 Improper Neutralization of Special Elements in Output Used by a Downstream Component in Magento Open Source - CVE-2019-8135

Published: November 6, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU30668

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2019-8135

CWE-ID: CWE-74

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Magento Open Source

Software vendor:
Adobe

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Dependency injection through Symphony framework allows service identifiers to be derived from user controlled data, which can lead to remote code execution.

Remediation

Install update from vendor's website.

External links

https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update

#VU30668 Improper Neutralization of Special Elements in Output Used by a Downstream Component in Magento Open Source - CVE-2019-8135

Description

Remediation

External links

Please verify you're human