CVE-2019-8141

HIGH

Magento < 2.1.19 - Insecure Deserialization

Title source: rule

Description

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with administrative privileges (system level import) can execute arbitrary code through a Phar deserialization vulnerability in the import functionality.

References (1)

[Patch, Vendor Advisory] https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update

Scores

CVSS v3 7.2

EPSS 0.0159

EPSS Percentile 81.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (5)

magento/magento < 2.1.19

magento/magento

magento/community-edition < 2.1.19Packagist

Timeline

Published Nov 06, 2019

Tracked Since Feb 18, 2026