Description
A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to import features can execute arbitrary code via crafted configuration archive file upload.
Affected products
- Adobe Systems Incorporated / Magento 1 & 2Magento Open Source prior to 1.9.4.3 – Magento Open Source prior to 1.9.4.3
- Adobe Systems Incorporated / Magento 1 & 2and Magento Commerce prior to 1.14.4.3 – and Magento Commerce prior to 1.14.4.3
- Adobe Systems Incorporated / Magento 1 & 2Magento 2.2 prior to 2.2.10 – Magento 2.2 prior to 2.2.10
- Adobe Systems Incorporated / Magento 1 & 2Magento 2.3 prior to 2.3.3 or 2.3.2-p1 – Magento 2.3 prior to 2.3.3 or 2.3.2-p1