GHSA-j4fq-3fm7-wh5v
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j4fq-3fm7-wh5v
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j4fq-3fm7-wh5v/GHSA-j4fq-3fm7-wh5v.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-j4fq-3fm7-wh5v
- Aliases
-
- CVE-2015-6497
- Published
- 2022-05-24T17:06:13Z
- Modified
- 2024-01-10T23:28:18.794715Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Magento arbitrary PHP code execution via the productData parameter
- Details
-
The create function in
app/code/core/Mage/Catalog/Model/Product/Api/V2.phpin Magento Community Edition (CE) before 1.9.2.1 and Enterprise Edition (EE) before 1.14.2.1, when used with PHP before 5.4.24 or 5.5.8, allows remote authenticated users to execute arbitrary PHP code via the productData parameter toindex.php/api/v2_soap. - Database specific
{ "nvd_published_at": "2020-01-15T17:15:00Z", "cwe_ids": [ "CWE-20" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-01-10T23:10:29Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2015-6497
- https://github.com/magento/magento2
- http://blog.mindedsecurity.com/2015/09/autoloaded-file-inclusion-in-magento.html
- http://karmainsecurity.com/KIS-2015-04
- http://magento.com/security/patches/supee-6482
- http://packetstormsecurity.com/files/133544/Magento-1.9.2-File-Inclusion.html
- http://seclists.org/fulldisclosure/2015/Sep/48
Affected packages
Packagist / magento/core
Package
- Name
- magento/core
- Purl
- pkg:composer/magento/core