Remote Code Execution via Product Attribute Layout Updates in Magento 1

Remote Code Execution via Product Attribute Layout Updates in Magento 1

CVE-2019-8091 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3. An authenticated admin user with privileges to access product attributes can leverage layout updates to trigger remote code execution.

Learn more about our User Device Pen Test.