Home > Vulnerability Database > CVE-2019-8126

Mend.io Vulnerability Database

CVE-2019-8126

Date: November 5, 2019

An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure.

Language: PHP

Severity Score

4.9

Related Resources (4)

Url: https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update

Url: https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8126.yaml

Url: https://nvd.nist.gov/vuln/detail/CVE-2019-8126

Url: https://www.mend.io/vulnerability-database/CVE-2019-8126

Severity Score

4.9

Weakness Type (CWE)

Improper Restriction of XML External Entity Reference

CWE-611

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CWE-776

CVSS v3.1

Base Score:	4.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	4.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	SINGLE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2019-8126

Date: November 5, 2019

Language: PHP

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?