CVE-2019-7871 – magento/community-edition

Package

Manager: composer
Name: magento/community-edition
Vulnerable Version: >=2.1.0 <2.1.18 || >=2.2.0 <2.2.9 || >=2.3.0 <2.3.2

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00252 pctl0.48362

Details

Magento 2 Community Edition Unsafe File Upload A security bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 that could be abused to execute arbitrary PHP code. An authenticated user can bypass security protections that prevent arbitrary PHP script upload via form data injection.

Metadata

Created: 2022-05-24T16:52:24Z
Modified: 2024-02-12T11:42:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-v527-6h5r-cfg8/GHSA-v527-6h5r-cfg8.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-v527-6h5r-cfg8
Finding: F422
Auto approve: 1