Vulnerability Description
Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data.
CVSS Score
9.8
CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Magento | Magento | <= 2.0.5 |
Related Weaknesses (CWE)
References
- http://netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-execution/Technical DescriptionThird Party Advisory
- https://magento.com/security/patches/magento-206-security-updatePatchVendor Advisory
- https://packetstormsecurity.com/files/137121/Magento-Unauthenticated-Arbitrary-FExploitThird Party AdvisoryVDB Entry
- https://packetstormsecurity.com/files/137312/Magento-2.0.6-Unserialize-Remote-CoExploitThird Party AdvisoryVDB Entry
- https://www.exploit-db.com/exploits/39838/
- http://netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-execution/Technical DescriptionThird Party Advisory
- https://magento.com/security/patches/magento-206-security-updatePatchVendor Advisory
- https://packetstormsecurity.com/files/137121/Magento-Unauthenticated-Arbitrary-FExploitThird Party AdvisoryVDB Entry
- https://packetstormsecurity.com/files/137312/Magento-2.0.6-Unserialize-Remote-CoExploitThird Party AdvisoryVDB Entry
- https://www.exploit-db.com/exploits/39838/
FAQ
What is CVE-2016-4010?
CVE-2016-4010 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data.
How severe is CVE-2016-4010?
CVE-2016-4010 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2016-4010?
Check the references section above for vendor advisories and patch information. Affected products include: Magento Magento.