APPSEC-1910: Local File Inclusion (LFI) in Import History

Description: An administrator with limited privileges can delete critical system control files to subsequently gain privilege escalation through the Import History section.

Type: Local File Inclusion + Potential RCE

CVSSv3 Severity: 6.1 (Medium)

Product(s) Affected: Magento 2.0 prior to 2.0.17, Magento 2.1 prior to 2.1.10, Magento 2.2

Fixed In: Magento 2.0.17, Magento 2.1.10, Magento 2.2.1

Posted in LFI, Magento Commerce, Magento Open Source