Total
222 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-7887 | 1 Magento | 1 Magento | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
A reflected cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 when the feature that adds a secret key to the Admin URL is disabled. | |||||
CVE-2019-7862 | 1 Magento | 1 Magento | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
A reflected cross-site scripting vulnerability exists in the Product widget chooser functionality in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | |||||
CVE-2019-7904 | 1 Magento | 1 Magento | 2023-12-10 | 5.5 MEDIUM | 6.5 MEDIUM |
Insufficient enforcement of user access controls in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could enable a low-privileged user to make unauthorized environment configuration changes. | |||||
CVE-2019-7888 | 1 Magento | 1 Magento | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
An information disclosure vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to create email templates could leak sensitive data via a malicious email template. | |||||
CVE-2019-7871 | 1 Magento | 1 Magento | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
A security bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 that could be abused to execute arbitrary PHP code. An authenticated user can bypass security protections that prevent arbitrary PHP script upload via form data injection. | |||||
CVE-2019-7849 | 1 Magento | 1 Magento | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules. This impacts Magento 1.x prior to 1.9.4.2, Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to 2.3.2. | |||||
CVE-2019-7898 | 1 Magento | 1 Magento | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
Samples of disabled downloadable products are accessible in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to inadequate validation of user input. | |||||
CVE-2019-7944 | 1 Magento | 1 Magento | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
A stored cross-site scripting vulnerability exists in the product comments field of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the Return Product comments field can inject malicious javascript. | |||||
CVE-2019-7937 | 1 Magento | 1 Magento | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to store product attributes to inject malicious javascript. | |||||
CVE-2019-7867 | 1 Magento | 1 Magento | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to manage orders and order status. | |||||
CVE-2019-7903 | 1 Magento | 1 Magento | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to email templates can execute arbitrary code by previewing a malicious template. | |||||
CVE-2019-7874 | 1 Magento | 1 Magento | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can result in unintended deletion of user roles. | |||||
CVE-2019-7913 | 1 Magento | 1 Magento | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
A server-side request forgery (SSRF) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with admin privileges to manipulate shipment methods to execute arbitrary code. | |||||
CVE-2019-7863 | 1 Magento | 1 Magento | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to products and categories. | |||||
CVE-2019-7939 | 1 Magento | 1 Magento | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
A reflected cross-site scripting vulnerability exists on the customer cart checkout page of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by sending a victim a crafted URL that results in malicious javascript execution in the victim's browser. | |||||
CVE-2019-7940 | 1 Magento | 1 Magento | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify store currency options to inject malicious javascript. | |||||
CVE-2019-7912 | 1 Magento | 1 Magento | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
A file upload filter bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with admin privileges to edit configuration keys to remove file extension filters, potentially resulting in the malicious upload and execution of malicious files on the server. | |||||
CVE-2019-7951 | 1 Magento | 1 Magento | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
An information leakage vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A SOAP web service endpoint does not properly enforce parameters related to access control. This could be abused to leak customer information via crafted SOAP requests. | |||||
CVE-2019-7869 | 1 Magento | 1 Magento | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with permissions to manage customer groups. | |||||
CVE-2019-7868 | 1 Magento | 1 Magento | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with permissions to manage tax rules. |