CVE-2015-6497: Improper Input Validation

January 15, 2020 (updated January 22, 2020)

The create function in app/code/core/Mage/Catalog/Model/Product/Api/V2.php in Magento Community Edition, when used with PHP, allows remote authenticated users to execute arbitrary PHP code via the productData parameter to index.php/api/v2_soap.

References

magento.com/security/patches/supee-6482
packetstormsecurity.com/files/133544/Magento-1.9.2-File-Inclusion.html
nvd.nist.gov/vuln/detail/CVE-2015-6497

Code Behaviors & Features

Detect and mitigate CVE-2015-6497 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →