Remote Code Execution in Magento by Admin User Manipulation
CVE-2019-8151

7.2HIGH

Key Information:

Vendor: Adobe
Status: Magento 2
Vendor: CVE Published:; 6 November 2019

Summary

A remote code execution vulnerability allows authenticated admin users in Magento versions 2.2 and 2.3 to execute arbitrary code. This results from the inadequate handling of server-side requests pertaining to shipment settings, enabling users to manipulate carrier gateways. The flaw affects multiple versions of Magento, necessitating the application of security updates to mitigate exploitation risks.

Affected Version(s)

Magento 2 Magento 2.2 prior to 2.2.10

Magento 2 Magento 2.3 prior to 2.3.3 or 2.3.2-p1

References

https://magento.com/security/patches/magento-2.3.3-and-2....

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 6, 2019
Vulnerability Reserved
Feb 12, 2019