CVE-2019-8126: XEE
First published: Tue Oct 08 2019(Updated: )
An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure.
Credit: psirt@adobe.com psirt@adobe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/magento/product-community-edition | >=2.2<2.2.10>=2.3<2.3.2-p2 | |
| Magento Magento | >=2.2.0<2.2.10 | |
| Magento Magento | >=2.2.0<2.2.10 | |
| Magento Magento | >=2.3.0<2.3.2 | |
| Magento Magento | >=2.3.0<2.3.2 | |
| Magento Magento | =2.3.2 | |
| Magento Magento | =2.3.2 | |
| composer/magento/community-edition | >=2.3<2.3.2-p2 | 2.3.2-p2 |
| composer/magento/community-edition | >=2.2<2.2.10 | 2.2.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/friends-of-php
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-427g-2r83-3ccm
- alias/CVE-2019-8126
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- agent/severity
- agent/author
- agent/remedy
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/description
- agent/softwarecombine
- agent/event
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/composer
- vendor/magento
- canonical/magento magento
- version/magento magento/2.2.0
- version/magento magento/2.3.0
- version/magento magento/2.3.2