CVE-2019-7139
CRITICAL EXPLOITED NUCLEIMagento <2.1.18-2.3.2 - SQL Injection
Title source: llmExploitation Summary
CVE-2019-7139 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including adhammedhat111. A Nuclei detection template is also available.
AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2019-7139, an unauthenticated SQL injection vulnerability in Magento. The exploit uses error-based and time-based techniques to enumerate databases, tables, columns, and data via the `/catalog/product_frontend_action/synchronize` endpoint.
Description
An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage. This issue is fixed in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
Exploits (1)
This repository contains a functional proof-of-concept exploit for CVE-2019-7139, an unauthenticated SQL injection vulnerability in Magento. The exploit uses error-based and time-based techniques to enumerate databases, tables, columns, and data via the `/catalog/product_frontend_action/synchronize` endpoint.
Nuclei Templates (1)
http.component:"Magento" || cpe:"cpe:2.3:a:magento:magento" || http.component:"magento"
References (2)
Scores
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H