High severityNVD Advisory· Published Jan 15, 2020· Updated Aug 6, 2024
CVE-2015-6497
CVE-2015-6497
Description
The create function in app/code/core/Mage/Catalog/Model/Product/Api/V2.php in Magento Community Edition (CE) before 1.9.2.1 and Enterprise Edition (EE) before 1.14.2.1, when used with PHP before 5.4.24 or 5.5.8, allows remote authenticated users to execute arbitrary PHP code via the productData parameter to index.php/api/v2_soap.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/corePackagist | < 1.9.2.1 | 1.9.2.1 |
Affected products
2- Magento/Magento Community Editiondescription
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-j4fq-3fm7-wh5vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-6497ghsaADVISORY
- blog.mindedsecurity.com/2015/09/autoloaded-file-inclusion-in-magento.htmlghsax_refsource_MISCWEB
- karmainsecurity.com/KIS-2015-04ghsax_refsource_MISCWEB
- magento.com/security/patches/supee-6482ghsax_refsource_MISCWEB
- packetstormsecurity.com/files/133544/Magento-1.9.2-File-Inclusion.htmlghsax_refsource_MISCWEB
- seclists.org/fulldisclosure/2015/Sep/48ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.