Loading HuntDB...

CVE-2019-8126

UNKNOWN
Published 2019-11-05T22:55:02
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2019-8126. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

Information disclosure through processing of external XML entities

GHSA-427g-2r83-3ccm

Advisory Details

An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure. As per [the Magento Release 2.3.3](https://web.archive.org/web/20201126132230/https://devdocs.magento.com/guides/v2.3/release-notes/release-notes-2-3-3-commerce.html#new-security-only-patch-available), if you have already implemented the pre-release version of this patch (2.3.2-p1), it is highly recommended to promptly upgrade to 2.3.2-p2.

Affected Packages

Packagist magento/community-edition
ECOSYSTEM: ≥2.2 <2.2.10
Packagist magento/community-edition
ECOSYSTEM: ≥2.3 <2.3.2-p2

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Advisory provided by GitHub Security Advisory Database. Published: November 12, 2019, Modified: February 12, 2024

References

Published: 2019-11-05T22:55:02
Last Modified: 2024-08-04T21:10:32.967Z
Copied to clipboard!