PRODSECBUG-2146: Remote Code Execution through the Product Media Upload in the Admin

A path traversal vulnerability permits folder creation at arbitrary locations and file deletion from arbitrary locations in the Admin product image/media upload area.

Type: Cross-Site Scripting (XSS)

CVSSv3 Severity: 6.0

Product(s) Affected: Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7

Fixed In: Magento 2.1.16, Magento 2.2.7, Magento 2.3.0

Posted in Magento 2, Magento Commerce, Magento Open Source, RCE, Stored XSS