-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from processing untrusted input in custom layout updates. Historical analysis shows Magento's widget template filter had deserialization vulnerabilities (CVE-2016-4010), and the layout merge process is a core component handling user-provided XML. Though exact patch details are unavailable, these components align with the described attack vector (CMS layout manipulation leading to RCE). The high confidence in Filter::generateWidget comes from its known unsafe unserialize() usage in widget parameters, while Merge::load gets medium confidence as the primary entry point for processing custom layout XML.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| magento/community-edition | composer | >= 2.2.0, < 2.2.10 | 2.2.10 |
| magento/community-edition | composer | >= 2.3.0, < 2.3.2-p1 | 2.3.2-p1 |
PHPPHP