CVE-2019-8122
Magento 2 Community Edition RCE Vulnerability
8.8
HIGH
CVSS 3.1
EPSS 1.1%
Description
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with privileges to create products can craft custom layout update and use import product functionality to enable remote code execution.
How to fix CVE-2019-8122
To remediate CVE-2019-8122, upgrade the affected package to a fixed version below.
- —upgrade to 2.1.19 or later
Is CVE-2019-8122 being exploited?
Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 2.1.0, < 2.1.19
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |