Description
In Magento prior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit product attributes can execute arbitrary code through crafted layout updates.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://magento.com/security/patches/supee-11219
Scores
CVSS v3
7.2
EPSS
0.0019
EPSS Percentile
40.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (3)
magento/community-edition
0 - 1.9.4.3Packagist
magento/magento
1.5.0.0 - 1.9.4.3
magento/magento
1.9.0.0 - 1.14.4.3
Published
Nov 06, 2019
Tracked Since
Feb 18, 2026