Filtered by vendor Magento
Subscribe
Total
225 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-7869 | 1 Magento | 1 Magento | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with permissions to manage customer groups. | |||||
CVE-2019-7868 | 1 Magento | 1 Magento | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with permissions to manage tax rules. | |||||
CVE-2019-7865 | 1 Magento | 1 Magento | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
A cross-site request forgery (CSRF) vulnerability exists in the checkout cart item of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited at the time of editing or configuration. | |||||
CVE-2019-7858 | 1 Magento | 1 Magento | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
A cryptographic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to 2.3.2 resulted in storage of sensitive information with an algorithm that is insufficiently resistant to brute force attacks. | |||||
CVE-2019-7929 | 1 Magento | 1 Magento | 2023-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
An information leakage vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges may be able to view metadata of a trusted device used by another administrator via a crafted http request. | |||||
CVE-2019-7875 | 1 Magento | 1 Magento | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to newsletter templates. | |||||
CVE-2019-7909 | 1 Magento | 1 Magento | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to email templates. | |||||
CVE-2019-7876 | 1 Magento | 1 Magento | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manipulate layouts can insert a malicious payload into the layout. | |||||
CVE-2019-7892 | 1 Magento | 1 Magento | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to access shipment settings can execute arbitrary code via server-side request forgery. | |||||
CVE-2019-7895 | 1 Magento | 1 Magento | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to layouts can execute arbitrary code through a crafted XML layout update. | |||||
CVE-2019-7852 | 1 Magento | 1 Magento | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
A path disclosure vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Requests for a specific file path could result in a redirect to the URL of the Magento admin panel, disclosing its location to potentially unauthorized parties. | |||||
CVE-2019-7927 | 1 Magento | 1 Magento | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to edit product content pages to inject malicious javascript. | |||||
CVE-2019-7861 | 1 Magento | 1 Magento | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Insufficient server-side validation of user input could allow an attacker to bypass file upload restrictions in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | |||||
CVE-2018-5301 | 1 Magento | 1 Magento | 2023-12-10 | 5.8 MEDIUM | 6.5 MEDIUM |
Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have CSRF resulting in deletion of a customer address from an address book, aka APPSEC-1433. | |||||
CVE-2016-10704 | 1 Magento | 1 Magento | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have XSS via e-mail templates that are mishandled during a preview, aka APPSEC-1503. | |||||
CVE-2014-9758 | 1 Magento | 1 Magento | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in Magento E-Commerce Platform 1.9.0.1. | |||||
CVE-2015-8707 | 1 Magento | 1 Magento | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
Password reset tokens in Magento CE before 1.9.2.2, and Magento EE before 1.14.2.2 are passed via a GET request and not canceled after use, which allows remote attackers to obtain user passwords via a crafted external service with access to the referrer field. | |||||
CVE-2016-4010 | 1 Magento | 1 Magento | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data. | |||||
CVE-2016-6485 | 1 Magento | 1 Magento2 | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The __construct function in Framework/Encryption/Crypt.php in Magento 2 uses the PHP rand function to generate a random number for the initialization vector, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by guessing the value. | |||||
CVE-2016-2212 | 1 Magento | 1 Magento | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
The getOrderByStatusUrlKey function in the Mage_Rss_Helper_Order class in app/code/core/Mage/Rss/Helper/Order.php in Magento Enterprise Edition before 1.14.2.3 and Magento Community Edition before 1.9.2.3 allows remote attackers to obtain sensitive order information via the order_id in a JSON object in the data parameter in an RSS feed request to index.php/rss/order/status. |