Category: LFI

APPSEC-1986: Local file inclusion in import history

Description: An administrator with limited privileges can delete critical system control files to subsequently gain privilege escalation through the Import History feature. Type: Local File Inclusion (LFI) CVSSv3 Severity: 6.1 (Medium) Product(s) Affected: Magento 2.0 prior to 2.0.18, Magento 2.1

Posted in LFI, Magento 2, Magento Commerce, Magento Open Source

APPSEC-1901: Local file inclusion in customer view

Description: An administrator with limited privileges can read arbitrary files from the file system. Type: Local File Inclusion (LFI) CVSSv3 Severity: 6.4 (Medium) Product(s) Affected: Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3

Posted in LFI, Magento 2, Magento Commerce, Magento Open Source

APPSEC-1910: Local File Inclusion (LFI) in Import History

Description: An administrator with limited privileges can delete critical system control files to subsequently gain privilege escalation through the Import History section. Type: Local File Inclusion + Potential RCE CVSSv3 Severity: 6.1 (Medium) Product(s) Affected: Magento 2.0 prior to 2.0.17,

Posted in LFI, Magento Commerce, Magento Open Source