Miggo Logo
Miggo Vulnerability Database
CVE-2019-8124

CVE-2019-8124:
Magento 2 Community Edition Insufficient Logging

4.9

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-8124
GHSA ID
GHSA-x5q5-6wvf-2fpq
EPSS Score
0.41972%
CWE
CWE-345
Published
5/24/2022
Updated
2/2/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer>= 2.1.0, < 2.1.192.1.19
magento/community-editioncomposer>= 2.2.0, < 2.2.102.2.10
magento/community-editioncomposer>= 2.3.0, < 2.3.32.3.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability specifically relates to unlogged admin actions in design configuration. Magento's design configuration changes are primarily handled through SaveAction in the Design controller and persisted via Config model. The CVE description and PRODSECBUG-2444 reference both indicate missing logging in design update processes. While exact pre-patch code isn't available, Magento's architecture patterns suggest these are the most likely locations where logging would be missing, as confirmed by the patched versions' subsequent inclusion of audit trails for design changes. The medium confidence on Config::save stems from the possibility that logging might be handled at the controller layer rather than model layer.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n insu**i*i*nt lo**in* *n* monitorin* vuln*r**ility *xists in M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.*. **ilur* to tr**k **min **tions r*l*t** to **si*n *on*i*ur*tion *oul* l*** to r*pu*i*tion *tt**ks.

Reasoning

T** vuln*r**ility sp**i*i**lly r*l*t*s to unlo**** **min **tions in **si*n *on*i*ur*tion. M***nto's **si*n *on*i*ur*tion ***n**s *r* prim*rily **n*l** t*rou** S*v***tion in t** **si*n *ontroll*r *n* p*rsist** vi* *on*i* mo**l. T** *V* **s*ription *n*