Allele Security Alert
ASA-2019-00396
Identifier(s)
ASA-2019-00396, CVE-2019-7897, PRODSECBUG-2296
Title
Arbitrary code execution through design layout update
Vendor(s)
Magento, Inc
Product(s)
Magento
Affected version(s)
Magento 2.1.x versions prior to 2.1.18
Magento 2.2.x versions prior to 2.2.9
Magento 2.3.x versions prior to 2.3.2
Fixed version(s)
Magento 2.1.18
Magento 2.2.9
Magento 2.3.2
Proof of concept
Unknown
Description
An authenticated user with admin privileges can execute arbitrary code through a crafted XML layout update.
Technical details
Unknown
Credits
Blaklis
Reference(s)
PRODSECBUG-2296: Arbitrary code execution through design layout update – CVE-2019-7895
https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13
CVE-2019-7897
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7897
CVE-2019-7897
https://nvd.nist.gov/vuln/detail/CVE-2019-7897
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 29, 2019