CVE-2019-7911

Published: Aug 2, 2019Modified: Nov 21, 2024

7.2

Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

A server-side request forgery (SSRF) vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to the admin panel to manipulate system configuration and execute arbitrary code.

Affected (3)

Products: Magento: Magento

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Magento Magento	From 2.1.0 to 2.1.18
Magento Magento	From 2.2.0 to 2.2.9
Magento Magento	From 2.3.0 to 2.3.2

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (2)

https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13

Source: psirt@adobe.com

Vendor Advisory

https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.