Remote Code Execution in Magento by Admin User Manipulation
CVE-2019-8151

7.2HIGH

Key Information:

Vendor: Adobe
Status: Magento 2
Vendor: CVE Published:; 6 November 2019

What is CVE-2019-8151?

A remote code execution vulnerability allows authenticated admin users in Magento versions 2.2 and 2.3 to execute arbitrary code. This results from the inadequate handling of server-side requests pertaining to shipment settings, enabling users to manipulate carrier gateways. The flaw affects multiple versions of Magento, necessitating the application of security updates to mitigate exploitation risks.

Affected Version(s)

Magento 2 Magento 2.2 prior to 2.2.10

Magento 2 Magento 2.3 prior to 2.3.3 or 2.3.2-p1

References

https://magento.com/security/patches/magento-2.3.3-and-2....

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 6, 2019
Vulnerability Reserved
Feb 12, 2019

Adobe

What is CVE-2019-8151?

Affected Version(s)

References

CVSS V3.1

Timeline