CVE-2019-8158

Summary

An XPath entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An attacker can craft a GET request to page cache block rendering module that gets passed to XML data processing engine without validation. The crafted key/value GET request data allows an attacker to limited access to underlying XML data.

Affected Software

VendorProductVersion RangeStatus
Adobe Systems IncorporatedMagento 2Magento 2.2 prior to 2.2.10affected
Adobe Systems IncorporatedMagento 2Magento 2.3 prior to 2.3.3 or 2.3.2-p1affected

Weaknesses

  • XPath Injection vulnerability

ADP Enrichment

CVE Program Container

Additional References

References