CVE-2019-7912

Published: Aug 2, 2019Modified: Jun 17, 2026

7.2

Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

A file upload filter bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with admin privileges to edit configuration keys to remove file extension filters, potentially resulting in the malicious upload and execution of malicious files on the server.

Affected (3)

Products: Magento: Magento

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Magento Magento	From 2.1.0 to 2.1.18
Magento Magento	From 2.2.0 to 2.2.9
Magento Magento	From 2.3.0 to 2.3.2

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33

Source: psirt@adobe.com

Vendor Advisory

https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.