Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Magento (2.2.0 to 2.3.0) Unauthenticated SQL Injection Vulnerability - Vulnerability Database

Magento (2.2.0 to 2.3.0) Unauthenticated SQL Injection Vulnerability

Description

An SQL injection vulnerability has been identified in pre-2.3.1 Magento code. An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage.

To quickly protect your store from this vulnerability only, install patch PRODSECBUG-2198. To protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8.

Remediation

Upgrade to the latest version of Magento. Magento released version 2.3.1, along with patched versions for 2.2.x, 2.1.x, and 1.1.

References

Magento 2.2.0 <= 2.3.0 Unauthenticated SQLI
Magento 2.3.1, 2.2.8 and 2.1.17 Security Update

Related Vulnerabilities

Hibernate Query Language (HQL) Injection High
Common tags: SQL Injection
WordPress Plugin Abandoned Cart Lite for WooCommerce SQL Injection (5.8.1) High
Common tags: SQL Injection
WordPress Plugin Comments-wpDiscuz SQL Injection (5.3.5) High
Common tags: SQL Injection
WordPress Plugin Form Maker by 10Web-Mobile-Friendly Drag & Drop Contact Form Builder SQL Injection (1.13.35) High
Common tags: SQL Injection
WordPress Plugin Payment Form for PayPal Pro SQL Injection (1.1.64) High
Common tags: SQL Injection

Severity

High

Classification

CVE-2019-7139
CWE-89
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Tags

SQL Injection