Total
222 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-7857 | 1 Magento | 1 Magento | 2023-12-10 | 4.3 MEDIUM | 4.3 MEDIUM |
A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can cause unwanted items to be added to a shopper's cart due to an insufficiently robust anti-CSRF token implementation. | |||||
CVE-2019-7859 | 1 Magento | 1 Magento | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
A path traversal vulnerability in the WYSIWYG editor for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could result in unauthorized access to uploaded images due to insufficient access control. | |||||
CVE-2019-7890 | 1 Magento | 1 Magento | 2023-12-10 | 7.5 HIGH | 7.3 HIGH |
An Insecure Direct Object Reference (IDOR) vulnerability exists in the order processing workflow of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can lead to unauthorized access to order details. | |||||
CVE-2019-7947 | 1 Magento | 1 Magento | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
A cross-site request forgery vulnerability exists in the GiftCardAccount removal feature for Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | |||||
CVE-2019-7915 | 1 Magento | 1 Magento | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
A denial-of-service vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Under certain conditions, an unauthenticated attacker could force the Magento store's full page cache to serve a 404 page to customers. | |||||
CVE-2019-7930 | 1 Magento | 1 Magento | 2023-12-10 | 9.0 HIGH | 7.2 HIGH |
A file upload restriction bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to the import feature can make modifications to a configuration file, resulting in potentially unauthorized removal of file upload restrictions. This can result in arbitrary code execution when a malicious file is then uploaded and executed on the system. | |||||
CVE-2019-7934 | 1 Magento | 1 Magento | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to edit newsletter templates to inject malicious javascript. | |||||
CVE-2019-7896 | 1 Magento | 1 Magento | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to layouts can execute arbitrary code through a combination of product import, crafted csv file and XML layout update. | |||||
CVE-2019-7139 | 1 Magento | 1 Magento | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage. This issue is fixed in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | |||||
CVE-2019-7882 | 1 Magento | 1 Magento | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
A stored cross-site scripting vulnerability exists in the WYSIWYG editor of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the editor can inject malicious SWF files. | |||||
CVE-2019-7889 | 1 Magento | 1 Magento | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
An injection vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with marketing manipulation privileges can invoke methods that alter data of the underlying model followed by corresponding database modifications. | |||||
CVE-2019-7877 | 1 Magento | 1 Magento | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manage orders can inject malicious javascript. | |||||
CVE-2019-7936 | 1 Magento | 1 Magento | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify content block titles to inject malicious javascript. | |||||
CVE-2019-7851 | 1 Magento | 1 Magento | 2023-12-10 | 5.8 MEDIUM | 6.5 MEDIUM |
A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unintended data deletion from customer pages. | |||||
CVE-2019-7942 | 1 Magento | 1 Magento | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create or edit a product can execute arbitrary code via malicious XML layout updates. | |||||
CVE-2019-7935 | 1 Magento | 1 Magento | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify content page titles to inject malicious javascript. | |||||
CVE-2019-7926 | 1 Magento | 1 Magento | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify node attributes to inject malicious javascript. | |||||
CVE-2019-7950 | 1 Magento | 1 Magento | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
An access control bypass vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An unauthenticated user can bypass access controls via REST API calls to assign themselves to an arbitrary company, thereby gaining read access to potentially confidental information. | |||||
CVE-2019-7928 | 1 Magento | 1 Magento | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
A denial-of-service (DoS) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. By abusing insufficient brute-forcing defenses in the token exchange protocol, an unauthenticated attacker could disrupt transactions between the Magento merchant and PayPal. | |||||
CVE-2019-7864 | 1 Magento | 1 Magento | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
An insecure direct object reference (IDOR) vulnerability exists in the RSS feeds of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can lead to unauthorized access to order details. |