Allele Security Alert
ASA-2019-00398
Identifier(s)
ASA-2019-00398, CVE-2019-7930, PRODSECBUG-2349
Title
Arbitrary code execution via file upload in admin import feature
Vendor(s)
Magento, Inc.
Product(s)
Magento
Affected version(s)
Magento 2.1.x versions prior to 2.1.18
Magento 2.2.x versions prior to 2.2.9
Magento 2.3.x versions prior to 2.3.2
Fixed version(s)
Magento 2.1.18
Magento 2.2.9
Magento 2.3.2
Proof of concept
Unknown
Description
An authenticated user with admin privileges to the import feature can execute arbitrary code by uploading a malicious csv file.
Technical details
Unknown
Credits
sambecks
Reference(s)
PRODSECBUG-2296: Arbitrary code execution through design layout update – CVE-2019-7895
https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13
CVE-2019-7930
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7930
CVE-2019-7930
https://nvd.nist.gov/vuln/detail/CVE-2019-7930
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 29, 2019