CVE-2019-7876
Magento 2 Community Edition RCE Vulnerability
8.8
HIGH
CVSS 3.1
EPSS 0.84%
Description
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manipulate layouts can insert a malicious payload into the layout.
How to fix CVE-2019-7876
To remediate CVE-2019-7876, upgrade the affected package to a fixed version below.
- —upgrade to 2.1.18 or later
- —upgrade to 2.1.18 or later
Is CVE-2019-7876 being exploited?
Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 2.1, < 2.1.18
- >= 2.1, < 2.1.18
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |