4.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-8126

GHSA ID

GHSA-427g-2r83-3ccm

EPSS Score

0.29844%

CWE

CWE-611

Published

11/12/2019

Updated

2/12/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-8126

CVE-2019-8126: Information disclosure through processing of external XML entities

An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure.

As per the Magento Release 2.3.3, if you have already implemented the pre-release version of this patch (2.3.2-p1), it is highly recommended to promptly upgrade to 2.3.2-p2.

(GitHub Advisory)

4.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-8126

GHSA ID

GHSA-427g-2r83-3ccm

EPSS Score

0.29844%

CWE

CWE-611

Published

11/12/2019

Updated

2/12/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
magento/community-edition	composer	>= 2.2, < 2.2.10	2.2.10
magento/community-edition	composer	>= 2.3, < 2.3.2-p2	2.3.2-p2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure XML parsing in layout processing. Magento's DOM configuration (Dom::__construct) is the core XML parser that would require LIBXML_NOENT restriction. LayoutUpdate::load is the entry point for admin-controlled XML that would trigger the vulnerable parsing. These functions would appear in stack traces when processing malicious XML layouts. The confidence is high for Dom::__construct as it's the primary XML parser, and medium for LayoutUpdate::load as it's the likely injection point based on vulnerability description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n XML *ntity inj**tion vuln*r**ility *xists in M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.* or *.*.*-p*. *n *ut**nti**t** **min us*r **n *r**t *o*um*nt typ* ***inition *or *n XML r*pr*s*ntin* XML l*yout. T** *r**t** *o*um*nt typ* ***initi

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rsin* in l*yout pro**ssin*. M***nto's *OM *on*i*ur*tion (*om::__*onstru*t) is t** *or* XML p*rs*r t**t woul* r*quir* LI*XML_NO*NT r*stri*tion. L*youtUp**t*::lo** is t** *ntry point *or **min-*ontroll** XML

4.9

Basic Information

Concerned about an active attack path?

CVE-2019-8126: Information disclosure through processing of external XML entities

4.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI