GHSA-427g-2r83-3ccm

Suggest an improvement
Source
https://github.com/advisories/GHSA-427g-2r83-3ccm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-427g-2r83-3ccm/GHSA-427g-2r83-3ccm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-427g-2r83-3ccm
Aliases
Published
2019-11-12T22:59:24Z
Modified
2024-02-16T08:17:16.781951Z
Severity
  • 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Information disclosure through processing of external XML entities
Details

An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure.

As per the Magento Release 2.3.3, if you have already implemented the pre-release version of this patch (2.3.2-p1), it is highly recommended to promptly upgrade to 2.3.2-p2.

References

Affected packages

Packagist / magento/community-edition

Package

Name
magento/community-edition
Purl
pkg:composer/magento/community-edition

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2
Fixed
2.2.10

Affected versions

2.*

2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9

Packagist / magento/community-edition

Package

Name
magento/community-edition
Purl
pkg:composer/magento/community-edition

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.3
Fixed
2.3.2-p2

Affected versions

2.*

2.3.0
2.3.1
2.3.2