CVE-2019-8119

HIGH severity · CVSS 7.2

7.2CVSS HIGH

Summary

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated admin user with import product privileges can delete files through bulk product import and inject code into XSLT file. The combination of these manipulations can lead to remote code execution.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredHigh

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)2%

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected products we track (1)

Magento

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update ↗

Additional information

NVD record
https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-updatePatch
https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-updatePatch