Miggo Logo
Miggo Vulnerability Database
CVE-2019-8134

CVE-2019-8134: Magento SQL injection via marketing account with access to email templates variables

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-8134
GHSA ID
GHSA-45gj-78hc-4mvc
EPSS Score
0.33839%
CWE
CWE-89
Published
5/24/2022
Updated
5/15/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer>= 2.2, < 2.2.102.2.10
magento/community-editioncomposer>= 2.3, < 2.3.2-p12.3.2-p1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper handling of user input in email template configuration. Marketing users with access to email template variables could manipulate the 'config_path' parameter, which was directly interpolated into SQL queries without parameterization. The loadByConfigPath method in Magento\Email\Model\Template is a known vector for this vulnerability, as it uses the attacker-controlled value to build a WHERE clause in a raw SQL query. This matches the CWE-89 pattern and the described attack scenario.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* SQL inj**tion vuln*r**ility *xists in M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.* or *.*.*-p*. * us*r wit* m*rk*tin* privil***s **n *x**ut* *r*itr*ry SQL qu*ri*s in t** **t***s* w**n ****ssin* *m*il t*mpl*t* v*ri**l*s.

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* us*r input in *m*il t*mpl*t* *on*i*ur*tion. M*rk*tin* us*rs wit* ****ss to *m*il t*mpl*t* v*ri**l*s *oul* m*nipul*t* t** '*on*i*_p*t*' p*r*m*t*r, w*i** w*s *ir**tly int*rpol*t** into SQL qu*ri*s wit*o