CVE-2019-7139

CRITICAL EXPLOITED NUCLEI

Magento <2.1.18-2.3.2 - SQL Injection

Title source: llm

Description

An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage. This issue is fixed in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

Exploits (1)

nomisec WORKING POC 6 stars

by adhammedhat111 · infoleak

https://github.com/adhammedhat111/Magento-CVE-2019-7139-SQLi-PoC

View Code ZIP pw:eip

Nuclei Templates (1)

Magento - SQL Injection

CRITICALVERIFIEDby MaStErChO

Shodan: http.component:"Magento" || cpe:"cpe:2.3:a:magento:magento" || http.component:"magento"

References (2)

[Various Sources] https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13

[Exploit, Third Party Advisory] https://www.ambionics.io/blog/magento-sqli

Scores

CVSS v3 9.8

EPSS 0.6011

EPSS Percentile 98.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2019-04-02

CWE

CWE-89

Status published

Products (3)

magento/community-edition 2.1.0 - 2.1.18Packagist

magento/magento < 1.9.4.1

magento/magento 1.14.0.0 - 1.14.4.1

Published Apr 10, 2019

Tracked Since Feb 18, 2026