CVE-2019-8093: Magento Information Disclosure via File upload functionality

May 24, 2022 (updated May 15, 2024)

An arbitrary file access vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage file upload controller for downloadable products to read/delete an arbitary files.

References

github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8093.yaml
github.com/advisories/GHSA-32x5-6p4q-q8jh
github.com/magento/magento2
magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update
nvd.nist.gov/vuln/detail/CVE-2019-8093

Code Behaviors & Features

Detect and mitigate CVE-2019-8093 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →