Allele Security Alert
ASA-2019-00398, CVE-2019-7930, PRODSECBUG-2349
Arbitrary code execution via file upload in admin import feature
Magento 2.1.x versions prior to 2.1.18
Magento 2.2.x versions prior to 2.2.9
Magento 2.3.x versions prior to 2.3.2
Proof of concept
An authenticated user with admin privileges to the import feature can execute arbitrary code by uploading a malicious csv file.
PRODSECBUG-2296: Arbitrary code execution through design layout update – CVE-2019-7895
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 29, 2019