CVE-2019-7871
Magento 2 Community Edition Unsafe File Upload
8.8
HIGH
CVSS 3.1
EPSS 0.21%
Description
A security bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 that could be abused to execute arbitrary PHP code. An authenticated user can bypass security protections that prevent arbitrary PHP script upload via form data injection.
How to fix CVE-2019-7871
To remediate CVE-2019-7871, upgrade the affected package to a fixed version below.
- —upgrade to 2.1.18 or later
Is CVE-2019-7871 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 2.1.0, < 2.1.18
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |