APPSEC-1952: Remote Code Execution using media upload

Description: An administrator with limited privileges can remotely execute code using a path traversal vulnerability during the CMS image or media upload process.

Type: Remote Code Execution (RCE)

CVSSv3 Severity: 9.8 (High)

Product(s) Affected: Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3

Fixed In: Magento 2.0.18, Magento 2.1.12, Magento 2.2.3

Posted in Magento 2, Magento Commerce, Magento Open Source, RCE