-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PHPPHPMiggo AIRoot Cause AnalysisThe vulnerability stems from improper handling of XML layout updates by authenticated admins. The primary attack vector involves XML parsing mechanisms that allowed PHP object injection (via unserialize) or dynamic method execution. The 'load' method in Layout/Update is central to XML processing, and historical Magento vulnerabilities (like CVE-2015-1397) show similar patterns. The 'generateBlock' method's involvement is inferred from its role in executing block methods defined in XML, though with slightly less certainty due to lack of direct patch evidence.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| magento/community-edition | composer | >= 2.1, < 2.1.18 | 2.1.18 |
| magento/community-edition | composer | >= 2.2, < 2.2.9 | 2.2.9 |
| magento/community-edition | composer | >= 2.3, < 2.3.2 | 2.3.2 |
Ongoing coverage of React2Shell