CVE-2015-6497
N/A
N/A
Summary
The create function in app/code/core/Mage/Catalog/Model/Product/Api/V2.php in Magento Community Edition (CE) before 1.9.2.1 and Enterprise Edition (EE) before 1.14.2.1, when used with PHP before 5.4.24 or 5.5.8, allows remote authenticated users to execute arbitrary PHP code via the productData parameter to index.php/api/v2_soap.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- http://packetstormsecurity.com/files/133544/Magento-1.9.2-File-Inclusion.html
- http://blog.mindedsecurity.com/2015/09/autoloaded-file-inclusion-in-magento.html
- http://karmainsecurity.com/KIS-2015-04
- http://seclists.org/fulldisclosure/2015/Sep/48
- http://magento.com/security/patches/supee-6482
References
- http://packetstormsecurity.com/files/133544/Magento-1.9.2-File-Inclusion.html
- http://blog.mindedsecurity.com/2015/09/autoloaded-file-inclusion-in-magento.html
- http://karmainsecurity.com/KIS-2015-04
- http://seclists.org/fulldisclosure/2015/Sep/48
- http://magento.com/security/patches/supee-6482
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.