Main Vulnerability Database Vulnerabilities #VU30697

XML Entity Expansion in Magento Open Source - CVE-2019-8126

Published: November 6, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU30697

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-8126

CWE-ID: CWE-776

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Adobe

Affected software:
Magento Open Source

Detailed vulnerability description

The vulnerability allows a remote privileged user to gain access to sensitive information.

An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure.

How to mitigate CVE-2019-8126

Install update from vendor's website.

Sources

https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update

XML Entity Expansion in Magento Open Source - CVE-2019-8126

Detailed vulnerability description

How to mitigate CVE-2019-8126

Sources

Please verify you're human