CVE-2019-7876

HIGH

Magento 2.1-2.1.17 - Authenticated Remote Code Execution via Layout Manipulation

Title source: llm

Description

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manipulate layouts can insert a malicious payload into the layout.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13

Scores

CVSS v3 8.8

EPSS 0.0084

EPSS Percentile 75.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

Status published

Products (3)

magento/community-edition 2.1 - 2.1.18Packagist

magento/magento 2.1.0 - 2.1.18

magento/product-community-edition 2.1 - 2.1.18Packagist

Published Aug 02, 2019

Tracked Since Feb 18, 2026