APPSEC-1909: Admin account takeover via File upload information disclosure

It is discovered that Magento reveals HTTPOnly admin session cookie in the response of successful file upload in admin. Because the response content type is JSON, it is possible that attacker can steal admin session cookie by exploiting any XSS present in admin panel. Vulnerable file upload sections are in CMS, Catalog and Downloadable modules.

Type: Privilege Escalation & Enumeration: Broken Authentication and Session Management

CVSSv3 Severity: N/A

Known Attacks: None

Product(s) Affected: Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6

Fixed In: Magento 2.1.15, Magento 2.2.6

Posted in Authentication Bypass, Magento 2, Magento Commerce, Magento Open Source, Privilege Escalation