Magento 2.1 Insufficient Information Vulnerability

Summary

An authenticated user can manipulate the design layout update feature.

Credit:

The information has been provided by Blaklis

The original article can be found at:https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update


Details

An arbitrary file deletion vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated users can manipulate the design layout update feature.

 

Vulnerable Systems:

Magento 2.1 prior to 2.1.19

Magento 2.2 prior to 2.2.10

Magento 2.3 prior to 2.3.3. 

 

CVE Information:

CVE-2019-8090

 

Disclosure Timeline:
Published Date:11/5/2019