-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability involves RCE via email template previews, tied to CWE-94 (Code Injection). Magento's email template rendering system uses methods like Preview::execute to handle admin requests and Template::getProcessedTemplate to parse content. These functions are high-confidence candidates because: 1) The attack requires admin privileges to modify templates, aligning with the controller's admin context. 2) Code injection in templates often occurs in rendering logic. 3) Historical Magento vulnerabilities (e.g., PRODSECBUG-2306) have involved insecure handling of 'allow_php' or template directives. The lack of patch details requires inference, but the functions' roles in processing untrusted template data make them likely vectors.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| magento/community-edition | composer | >= 2.1.0, < 2.1.18 | 2.1.18 |
| magento/community-edition | composer | >= 2.2.0, < 2.2.9 | 2.2.9 |
| magento/community-edition | composer | >= 2.3.0, < 2.3.2 | 2.3.2 |