Allele Security Alert
SQL Injection vulnerability through an unauthenticated user
Magento Open Source prior to 184.108.40.206
Magento Commerce prior to 220.127.116.11
Magento 2.1 prior to 2.1.17
Magento 2.2 prior to 2.2.8
Magento 2.3 prior to 2.3.1
Magento Open Source 18.104.22.168
Magento Commerce 22.214.171.124
Proof of concept
An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage. NOTE: This patch is not included in 2.1.17. Please apply PRODSECBUG-2198 patch in addition to upgrade to 2.1.17.
Magento 2.3.1, 2.2.8 and 2.1.17 Security Update
MAGENTO 2.2.0 <= 2.3.0 UNAUTHENTICATED SQLI
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: April 16, 2019