Miggo Logo

CVE-2019-8126: Information disclosure through processing of external XML entities

4.9

CVSS Score
3.1

Basic Information

EPSS Score
0.29844%
Published
11/12/2019
Updated
2/12/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer>= 2.2, < 2.2.102.2.10
magento/community-editioncomposer>= 2.3, < 2.3.2-p22.3.2-p2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure XML parsing in layout processing. Magento's DOM configuration (Dom::__construct) is the core XML parser that would require LIBXML_NOENT restriction. LayoutUpdate::load is the entry point for admin-controlled XML that would trigger the vulnerable parsing. These functions would appear in stack traces when processing malicious XML layouts. The confidence is high for Dom::__construct as it's the primary XML parser, and medium for LayoutUpdate::load as it's the likely injection point based on vulnerability description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n XML *ntity inj**tion vuln*r**ility *xists in M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.* or *.*.*-p*. *n *ut**nti**t** **min us*r **n *r**t *o*um*nt typ* ***inition *or *n XML r*pr*s*ntin* XML l*yout. T** *r**t** *o*um*nt typ* ***initi

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rsin* in l*yout pro**ssin*. M***nto's *OM *on*i*ur*tion (*om::__*onstru*t) is t** *or* XML p*rs*r t**t woul* r*quir* LI*XML_NO*NT r*stri*tion. L*youtUp**t*::lo** is t** *ntry point *or **min-*ontroll** XML