CVE-2019-8112

A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can bypass the email confirmation mechanism via GET request that captures relevant account data obtained from the POST response related to new user creation.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
adobeCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 27%
VendorProductVersion
magentomagento
2.2.0 ≤
𝑥
< 2.2.10
magentomagento
2.2.0 ≤
𝑥
< 2.2.10
magentomagento
2.3.0 ≤
𝑥
< 2.3.2
magentomagento
2.3.0 ≤
𝑥
< 2.3.2
magentomagento
2.3.2
magentomagento
2.3.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update
https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update