CVE-2019-8140

Published: Nov 6, 2019Modified: Jun 17, 2026

4.9

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Exploitability: 1.2 / Impact: 3.6

Source: NVD

Description

An unrestricted file upload vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can manipulate the Synchronization feature in the Media File Storage of the database to transform uploaded JPEG file into a PHP file.

Affected (6)

Products: Magento: Magento

Magento

1 product

Magento

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Magento Magento	From 2.2.0 to 2.2.10
Magento Magento	From 2.3.0 to 2.3.2
Magento Magento	From 2.2.0 to 2.2.10
Magento Magento	From 2.3.0 to 2.3.2
Magento Magento	Version 2.3.2
Magento Magento	Version 2.3.2

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update

Source: psirt@adobe.com

PatchVendor Advisory

https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.