Magento 1 prior to 1.9.4.3 Improper Input Validation Vulnerability

Summary

A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3. An authenticated admin user with privileges to access product attributes can leverage layout updates to trigger remote code execution.

Credit:

The information has been provided by Luke Rodgers

The original article can be found at:https://magento.com/security/patches/supee-11219


Details

A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3.

An authenticated admin user with privileges to access product attributes can leverage layout updates to trigger remote code execution.

 

Vulnerable Systems:

Magento 1 prior to 1.9.4.3

Magento 1.14.4.3

 

CVE Information:

CVE-2019-8091

Disclosure Timeline:
Published Date:11/5/2019