Skip to main content

Magento CVE-2019-8151

HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2019-11-06 psirt@adobe.com
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Nov 06, 2019 - 00:15 nvd
HIGH 7.2

DescriptionNVD

A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to manipulate shippment settings can execute arbitrary code through server-side request forgery due to unsafe handling of a carrier gateway.

AnalysisAI

A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Technical ContextAI

This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918), which allows attackers to make the server perform requests to unintended internal or external resources. A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to manipulate shippment settings can execute arbitrary code through server-side request forgery due to unsafe handling of a carrier gateway. Affected products include: Magento. Version information: prior to 2.2.10.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate and allowlist destination URLs, block requests to internal networks, use network segmentation.

CVE-2016-4010 CRITICAL POC
9.8 Jan 23

Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary

CVE-2015-1397 MEDIUM POC
6.5 Apr 29

SQL injection vulnerability in the getCsvFile function in the Mage_Adminhtml_Block_Widget_Grid class in Magento Communit

CVE-2024-34102 CRITICAL POC
9.8 Jun 13

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML E

CVE-2015-1398 MEDIUM POC
6.5 Apr 29

Multiple directory traversal vulnerabilities in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.

CVE-2019-7139 CRITICAL POC
9.8 Apr 10

An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which ca

CVE-2020-8818 HIGH POC
8.1 Feb 25

An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Rated high severity (CVSS 8.1), th

CVE-2023-41879 HIGH POC
7.5 Sep 11

Magento LTS is the official OpenMage LTS codebase. Rated high severity (CVSS 7.5), this vulnerability is remotely exploi

CVE-2015-1399 MEDIUM POC
6.5 Apr 29

PHP remote file inclusion vulnerability in the fetchView function in the Mage_Core_Block_Template_Zend class in Magento

CVE-2015-3458 MEDIUM POC
6.5 Apr 29

The fetchView function in the Mage_Core_Block_Template_Zend class in Magento Community Edition (CE) 1.9.1.0 and Enterpri

CVE-2014-9758 MEDIUM POC
6.1 Sep 20

Cross-site scripting (XSS) vulnerability in Magento E-Commerce Platform 1.9.0.1. Rated medium severity (CVSS 6.1), this

CVE-2015-8707 CRITICAL
9.8 Sep 26

Password reset tokens in Magento CE before 1.9.2.2, and Magento EE before 1.14.2.2 are passed via a GET request and not

CVE-2024-45115 CRITICAL
9.8 Oct 10

Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authentication v

Share

CVE-2019-8151 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy