CVE-2019-8119
HIGHMagento 2.1.0-2.1.18, 2.2.0-2.2.9, 2.3.0-2.3.2 - Authenticated Remote Code Execution via XSLT File Injection
Title source: llmDescription
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated admin user with import product privileges can delete files through bulk product import and inject code into XSLT file. The combination of these manipulations can lead to remote code execution.
References (1)
Core 1
Core References
Patch, Vendor Advisory x_refsource_misc
https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update
Scores
CVSS v3
7.2
EPSS
0.0181
EPSS Percentile
83.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (2)
magento/community-edition
2.1.0 - 2.1.19Packagist
magento/magento
2.1.0 - 2.1.19 (2 CPE variants)
Published
Nov 05, 2019
Tracked Since
Feb 18, 2026