Allele Security Alert
SQL Injection vulnerability through an unauthenticated user
Magento Open Source prior to 18.104.22.168
Magento Commerce prior to 22.214.171.124
Magento 2.1 prior to 2.1.17
Magento 2.2 prior to 2.2.8
Magento 2.3 prior to 2.3.1
Magento Open Source 126.96.36.199
Magento Commerce 188.8.131.52
Proof of concept
An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage. NOTE: This patch is not included in 2.1.17. Please apply PRODSECBUG-2198 patch in addition to upgrade to 2.1.17.
Magento 2.3.1, 2.2.8 and 2.1.17 Security Update
MAGENTO 2.2.0 <= 2.3.0 UNAUTHENTICATED SQLI
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: April 16, 2019