CVE-2019-8109

Published: Nov 5, 2019Modified: Jun 17, 2026

8.0

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.1 / Impact: 5.9

Source: NVD

Description

A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft a malicious CSRF payload that can result in arbitrary command execution.

Affected (6)

Products: Magento: Magento

Magento

1 product

Magento

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Magento Magento	From 2.2.0 to 2.2.10
Magento Magento	From 2.3.0 to 2.3.2
Magento Magento	From 2.2.0 to 2.2.10
Magento Magento	From 2.3.0 to 2.3.2
Magento Magento	Version 2.3.2
Magento Magento	Version 2.3.2

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update

Source: psirt@adobe.com

PatchVendor Advisory

https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.