Miggo Logo
Miggo Vulnerability Database
CVE-2019-8143

CVE-2019-8143:
Magento Injection vulnerability via email templates

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-8143
GHSA ID
GHSA-94q8-gx29-6mqv
EPSS Score
0.37942%
CWE
CWE-89
Published
5/24/2022
Updated
5/15/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer>= 2.2, < 2.2.102.2.10
magento/community-editioncomposer>= 2.3, < 2.3.2-p12.3.2-p1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability involves SQL injection via email templates, which are managed through Magento's email template resource model. The loadByCode method is a prime candidate as it handles template loading based on user-provided identifiers. In unpatched versions, this method likely used raw SQL interpolation with user-controlled 'template_code' values, allowing attackers to inject malicious SQL. The patch would have introduced parameterized queries or proper escaping in this method. The confidence is high because this pattern matches the described attack vector and Magento's typical resource model architecture.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* SQL inj**tion vuln*r**ility *xists in M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.* or *.*.*-p*. *n *ut**nti**t** us*r wit* ****ss to *m*il t*mpl*t*s **n s*n* m*li*ious SQL qu*ri*s *n* o*t*in ****ss to s*nsitiv* in*orm*tion stor** in t**

Reasoning

T** vuln*r**ility involv*s SQL inj**tion vi* *m*il t*mpl*t*s, w*i** *r* m*n**** t*rou** M***nto's *m*il t*mpl*t* r*sour** mo**l. T** lo***y*o** m*t*o* is * prim* **n*i**t* *s it **n*l*s t*mpl*t* lo**in* **s** on us*r-provi*** i**nti*i*rs. In unp*t***