CVE-2019-8122
HIGHMagento 2.1.0-2.1.18, 2.2.0-2.2.9, 2.3.0-2.3.2 - Authenticated Remote Code Execution via Product Import Layout Update
Title source: llmDescription
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with privileges to create products can craft custom layout update and use import product functionality to enable remote code execution.
References (1)
Core 1
Core References
Patch, Vendor Advisory x_refsource_misc
https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update
Scores
CVSS v3
8.8
EPSS
0.0112
EPSS Percentile
78.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (2)
magento/community-edition
2.1.0 - 2.1.19Packagist
magento/magento
2.1.0 - 2.1.19 (2 CPE variants)
Published
Nov 05, 2019
Tracked Since
Feb 18, 2026