CVE-2019-8114

Published: Nov 5, 2019Modified: Jun 17, 2026

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to import features can execute arbitrary code via crafted configuration archive file upload.

Affected (8)

Products: Magento: Magento

Magento

1 product

Magento

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Magento Magento	Before 1.14.4.3
Magento Magento	From 2.2.0 to 2.2.10
Magento Magento	From 2.3.0 to 2.3.2
Magento Magento	Before 1.9.4.3
Magento Magento	From 2.2.0 to 2.2.10
Magento Magento	From 2.3.0 to 2.3.2
Magento Magento	Version 2.3.2
Magento Magento	Version 2.3.2

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

https://magento.com/security/patches/supee-11219

Source: psirt@adobe.com

PatchVendor Advisory

https://magento.com/security/patches/supee-11219

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.