CVE-2019-8158: XML Injection (aka Blind XPath Injection)

May 24, 2022 (updated July 18, 2023)

An XPath entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An attacker can craft a GET request to page cache block rendering module that gets passed to XML data processing engine without validation. The crafted key/value GET request data allows an attacker to limited access to underlying XML data.

References

github.com/advisories/GHSA-8p5c-f836-m4h7
nvd.nist.gov/vuln/detail/CVE-2019-8158
web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update

Code Behaviors & Features

Detect and mitigate CVE-2019-8158 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →