CVE-2019-8141
HIGHMagento 2.1.0-2.1.18, 2.2.0-2.2.9, <2.3.3 - Remote Code Execution via Phar Deserialization
Title source: llmDescription
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with administrative privileges (system level import) can execute arbitrary code through a Phar deserialization vulnerability in the import functionality.
References (1)
Core 1
Core References
Patch, Vendor Advisory x_refsource_misc
https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update
Scores
CVSS v3
7.2
EPSS
0.0159
EPSS Percentile
81.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (3)
magento/community-edition
2.1.0 - 2.1.19Packagist
magento/magento
2.3.2 (2 CPE variants)
magento/magento
2.1.0 - 2.1.19 (2 CPE variants)
Published
Nov 06, 2019
Tracked Since
Feb 18, 2026