Main Vulnerability Database Vulnerabilities #VU30906

Input validation error in Magento Open Source - CVE-2019-7885

Published: August 3, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU30906

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2019-7885

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Adobe

Affected software:
Magento Open Source

Detailed vulnerability description

The vulnerability allows a remote authenticated user to execute arbitrary code.

Insufficient input validation in the config builder of the Elastic search module could lead to remote code execution in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This vulnerability could be abused by an authenticated user with the ability to configure the catalog search.

How to mitigate CVE-2019-7885

Install update from vendor's website.

Sources

https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13

Input validation error in Magento Open Source - CVE-2019-7885

Detailed vulnerability description

How to mitigate CVE-2019-7885

Sources

Please verify you're human