-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability requires two key components: 1) injection of malicious layout XML via product imports, and 2) unsafe evaluation of that XML during page rendering. The Product Import module's handling of 'custom_layout_update' (via _saveProductEntity) was the entry point for XML payload injection. The Layout Merge subsystem (via generateXml) then processed this untrusted XML without proper sanitization, enabling PHP object instantiation or template-based code execution. These components directly map to the described attack vector combining CSV imports and XML layout updates.
PHPPHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| magento/community-edition | composer | >= 2.1, < 2.1.18 | 2.1.18 |
| magento/community-edition | composer | >= 2.2, < 2.2.9 | 2.2.9 |
| magento/community-edition |
| composer |
| >= 2.3, < 2.3.2 |
| 2.3.2 |
Ongoing coverage of React2Shell