-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PHPPHPMiggo AIRoot Cause AnalysisThe vulnerability combines two exploits: XSLT code injection and file deletion via product imports. The XSLT parser (Csv::_getParser) is vulnerable because Magento's XSLT processing allowed execution of PHP functions via 'php:function()' in untrusted XSL files. The MediaProcessor::removeImage function likely lacked proper path sanitization, enabling path traversal. Both functions are core to the described attack vector (RCE via XSLT injection + file deletion), and their roles align with Magento's import architecture.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| magento/community-edition | composer | >= 2.1.0, < 2.1.19 | 2.1.19 |
| magento/community-edition | composer | >= 2.2.0, < 2.2.10 | 2.2.10 |
| magento/community-edition |
| composer |
| >= 2.3.0, < 2.3.3 |
| 2.3.3 |
Ongoing coverage of React2Shell