Magento is urging web administrators to install its latest security update in order to defend against malicious attacks in the wild that could exploit a critical remote code-execution vulnerability. The vulnerability (CVE-2019-8144) could enable an unauthenticated user to insert a malicious payload into a merchant s site through Page Builder template methods, and execute it. The bug specifically exists in the preview function of Magento Commerce 2.3. The company warned patching will have the side effect of blocking administrators from viewing previews for products, blocks and dynamic blocks
Source: https://threatpost.com/magento-warns-upgrade-asap/150115/