Allele Security Alert
ASA-2019-00178
Identifier(s)
ASA-2019-00178, PRODSECBUG-2261
Title
Arbitrary code execution due to unsafe deserialization of a PHP archive
Vendor(s)
Magento
Product(s)
Magento
Affected version(s)
Magento Open Source prior to 1.9.4.1
Magento Commerce prior to 1.14.4.1
Magento 2.1 prior to 2.1.17
Magento 2.2 prior to 2.2.8
Magento 2.3 prior to 2.3.1
Fixed version(s)
Magento Open Source 1.9.4.1
Magento Commerce 1.14.4.1
SUPEE-11086
Magento 2.1.17
Magento 2.2.8
Magento 2.3.1
Proof of concept
Unknown
Description
An authenticated user with administrative privileges can execute arbitrary code through a Phar deserialization vulnerability.
Technical details
Unknown
Credits
Simon Scannell
Reference(s)
Magento 2.3.1, 2.2.8 and 2.1.17 Security Update
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: April 15, 2019