Miggo Logo
Miggo Vulnerability Database
CVE-2019-8140

CVE-2019-8140: Magento Unrestricted file upload vulnerability

4.9

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-8140
GHSA ID
GHSA-7pr3-34rg-g53m
EPSS Score
0.47432%
CWE
CWE-434
Published
5/24/2022
Updated
2/2/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer>= 2.2.0, < 2.2.102.2.10
magento/community-editioncomposer>= 2.3.0, < 2.3.32.3.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability involves improper handling of file extensions during Media Storage synchronization. The synchronization process (likely in Magento\MediaStorage components) fails to enforce strict file type checks, allowing JPEG-uploaded files to be stored as PHP. The functions responsible for initiating synchronization (controller) and writing files (synchronization service) are the most plausible candidates. Confidence is medium due to the lack of patch details, but the logic aligns with Magento's architecture and CWE-434 patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n unr*stri*t** *il* uplo** vuln*r**ility *xists in M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.* or *.*.*-p*. *n *ut**nti**t** **min us*r **n m*nipul*t* t** Syn**roniz*tion ***tur* in t** M**i* *il* Stor*** o* t** **t***s* to tr*ns*orm upl

Reasoning

T** vuln*r**ility involv*s improp*r **n*lin* o* *il* *xt*nsions *urin* M**i* Stor*** syn**roniz*tion. T** syn**roniz*tion `pro**ss` (lik*ly in M***nto\M**i*Stor*** *ompon*nts) **ils to *n*or** stri*t *il* typ* ****ks, *llowin* JP**-uplo**** *il*s to