Allele Security Alert
SQL Injection vulnerability through an unauthenticated user
Magento Open Source prior to 220.127.116.11
Magento Commerce prior to 18.104.22.168
Magento 2.1 prior to 2.1.17
Magento 2.2 prior to 2.2.8
Magento 2.3 prior to 2.3.1
Magento Open Source 22.214.171.124
Magento Commerce 126.96.36.199
Proof of concept
An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage. NOTE: This patch is not included in 2.1.17. Please apply PRODSECBUG-2198 patch in addition to upgrade to 2.1.17.
Magento 2.3.1, 2.2.8 and 2.1.17 Security Update
MAGENTO 2.2.0 <= 2.3.0 UNAUTHENTICATED SQLI
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: April 16, 2019