#VU30912 Input validation error in Magento Open Source - CVE-2019-7896
Published: August 3, 2019 / Updated: July 17, 2020
Vulnerability identifier: #VU30912
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-7896
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Magento Open Source
Magento Open Source
Software vendor:
Adobe
Adobe
Description
The vulnerability allows a remote privileged user to execute arbitrary code.
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to layouts can execute arbitrary code through a combination of product import, crafted csv file and XML layout update.
Remediation
Install update from vendor's website.