Allele Security Alert
ASA-2019-00189
Identifier(s)
ASA-2019-00189, PRODSECBUG-2195
Title
Deletion of a product attribute through Cross-Site Request Forgery (CSRF)
Vendor(s)
Magento
Product(s)
Magento
Affected version(s)
Magento Open Source prior to 1.9.4.1
Magento Commerce prior to 1.14.4.1
Magento 2.1 prior to 2.1.17
Magento 2.2 prior to 2.2.8
Magento 2.3 prior to 2.3.1
Fixed version(s)
Magento Open Source 1.9.4.1
Magento Commerce 1.14.4.1
SUPEE-11086
Magento 2.1.17
Magento 2.2.8
Magento 2.3.1
Proof of concept
Unknown
Description
An attacker can delete a product attribute within the context of authenticated administrator’s session through Cross-Site Request Forgery (CSRF).
Technical details
Unknown
Credits
djordje-marjanovic
Reference(s)
Magento 2.3.1, 2.2.8 and 2.1.17 Security Update
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: April 18, 2019