CVE-2019-8093

Published: Nov 5, 2019Modified: Jun 17, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

An arbitrary file access vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage file upload controller for downloadable products to read/delete an arbitary files.

Affected (6)

Products: Magento: Magento

Magento

1 product

Magento

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Magento Magento	From 2.2.0 to 2.2.10
Magento Magento	From 2.3.0 to 2.3.2
Magento Magento	From 2.2.0 to 2.2.10
Magento Magento	From 2.3.0 to 2.3.2
Magento Magento	Version 2.3.2
Magento Magento	Version 2.3.2

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update

Source: psirt@adobe.com

PatchVendor Advisory

https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.