GHSA-8cjg-f53m-8m9q

Source

https://github.com/advisories/GHSA-8cjg-f53m-8m9q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-8cjg-f53m-8m9q/GHSA-8cjg-f53m-8m9q.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-8cjg-f53m-8m9q

Aliases

Published

2023-09-06T15:30:27Z

Modified

2025-11-06T17:58:28.912107Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Magento XML Injection vulnerability in the Widgets Update Layout

Details

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.

Database specific

{
    "cwe_ids": [
        "CWE-78"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2023-09-06T14:15:08Z",
    "severity": "CRITICAL",
    "github_reviewed_at": "2025-11-06T17:29:26Z"
}

References

Affected packages

Packagist

magento/project-community-edition

Package

Name: magento/project-community-edition
Purl: pkg:composer/magento/project-community-edition

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

2.0.2

Affected versions

0.*

0.1.0-alpha89

0.1.0-alpha90

0.1.0-alpha91

0.1.0-alpha92

0.1.0-alpha93

0.1.0-alpha94

0.1.0-alpha95

0.1.0-alpha96

0.1.0-alpha97

0.1.0-alpha98

0.1.0-alpha99

0.1.0-alpha100

0.1.0-alpha101

0.1.0-alpha102

0.1.0-alpha103

0.1.0-alpha104

0.1.0-alpha105

0.1.0-alpha106

0.1.0-alpha107

0.1.0-alpha108

0.42.0-beta1

0.42.0-beta2

0.42.0-beta3

0.42.0-beta4

0.42.0-beta5

0.42.0-beta6

0.42.0-beta7

0.42.0-beta8

0.42.0-beta9

0.42.0-beta10

0.42.0-beta11

0.74.0-beta1

0.74.0-beta2

0.74.0-beta3

0.74.0-beta4

0.74.0-beta5

0.74.0-beta6

0.74.0-beta7

0.74.0-beta8

0.74.0-beta9

0.74.0-beta10

0.74.0-beta11

0.74.0-beta12

0.74.0-beta13

0.74.0-beta14

0.74.0-beta15

0.74.0-beta16

1.*

1.0.0-beta

2.*

2.0.0-rc

2.0.0-rc2

2.0.0

2.0.1

2.0.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-8cjg-f53m-8m9q/GHSA-8cjg-f53m-8m9q.json"

magento/community-edition

Package

Name: magento/community-edition
Purl: pkg:composer/magento/community-edition

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.7-p1

Affected versions

0.*

0.1.0-alpha89

0.1.0-alpha90

0.1.0-alpha91

0.1.0-alpha92

0.1.0-alpha93

0.1.0-alpha94

0.1.0-alpha95

0.1.0-alpha96

0.1.0-alpha97

0.1.0-alpha98

0.1.0-alpha99

0.1.0-alpha100

0.1.0-alpha101

0.1.0-alpha102

0.1.0-alpha103

0.1.0-alpha104

0.1.0-alpha105

0.1.0-alpha106

0.1.0-alpha107

0.1.0-alpha108

0.42.0-beta1

0.42.0-beta2

0.42.0-beta3

0.42.0-beta4

0.42.0-beta5

0.42.0-beta6

0.42.0-beta7

0.42.0-beta8

0.42.0-beta9

0.42.0-beta10

0.42.0-beta11

0.74.0-beta1

0.74.0-beta2

0.74.0-beta3

0.74.0-beta4

0.74.0-beta5

0.74.0-beta6

0.74.0-beta7

0.74.0-beta8

0.74.0-beta9

0.74.0-beta10

0.74.0-beta11

0.74.0-beta12

0.74.0-beta13

0.74.0-beta14

0.74.0-beta15

0.74.0-beta16

1.*

1.0.0-beta

1.0.0-beta2

1.0.0-beta3

1.0.0-beta4

1.0.0-beta5

1.0.0-beta6

2.*

2.0.0-rc

2.0.0-rc2

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.0.15

2.0.16

2.0.17

2.0.18

2.1.0-rc1

2.1.0-rc2

2.1.0-rc3

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.1.10

2.1.11

2.1.12

2.1.13

2.1.14

2.1.15

2.1.16

2.1.17

2.1.18

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.2.11

2.3.0

2.3.1

2.3.2

2.3.2-p2

2.3.3

2.3.3-p1

2.3.4

2.3.4-p2

2.3.5

2.3.5-p1

2.3.5-p2

2.3.6

2.3.6-p1

2.3.7

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-8cjg-f53m-8m9q/GHSA-8cjg-f53m-8m9q.json"

magento/community-edition

Package

Name: magento/community-edition
Purl: pkg:composer/magento/community-edition

Affected ranges

Affected versions

2.*

2.3.7

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-8cjg-f53m-8m9q/GHSA-8cjg-f53m-8m9q.json"

magento/community-edition

Package

Name: magento/community-edition
Purl: pkg:composer/magento/community-edition

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.4.2-p1

Fixed

2.4.2-p2

Affected versions

2.*

2.4.2-p1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-8cjg-f53m-8m9q/GHSA-8cjg-f53m-8m9q.json"

magento/community-edition

Package

Name: magento/community-edition
Purl: pkg:composer/magento/community-edition

Affected ranges

Affected versions

2.*

2.4.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-8cjg-f53m-8m9q/GHSA-8cjg-f53m-8m9q.json"