CVE-2019-8126: Information disclosure through processing of external XML entities
4.9
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.29844%
CWE
Published
11/12/2019
Updated
2/12/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
magento/community-edition | composer | >= 2.2, < 2.2.10 | 2.2.10 |
magento/community-edition | composer | >= 2.3, < 2.3.2-p2 | 2.3.2-p2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insecure XML parsing in layout processing. Magento's DOM configuration (Dom::__construct) is the core XML parser that would require LIBXML_NOENT restriction. LayoutUpdate::load is the entry point for admin-controlled XML that would trigger the vulnerable parsing. These functions would appear in stack traces when processing malicious XML layouts. The confidence is high for Dom::__construct as it's the primary XML parser, and medium for LayoutUpdate::load as it's the likely injection point based on vulnerability description.