Filtered by vendor Magento
Subscribe
Search
Total
64 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-8134 | 1 Magento | 1 Magento | 2019-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with marketing privileges can execute arbitrary SQL queries in the database when accessing email template variables. | |||||
| CVE-2019-8114 | 1 Magento | 1 Magento | 2019-11-07 | 6.5 MEDIUM | 7.2 HIGH |
| A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to import features can execute arbitrary code via crafted configuration archive file upload. | |||||
| CVE-2019-7911 | 1 Magento | 1 Magento | 2019-08-09 | 6.5 MEDIUM | 7.2 HIGH |
| A server-side request forgery (SSRF) vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to the admin panel to manipulate system configuration and execute arbitrary code. | |||||
| CVE-2019-7912 | 1 Magento | 1 Magento | 2019-08-09 | 6.5 MEDIUM | 7.2 HIGH |
| A file upload filter bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with admin privileges to edit configuration keys to remove file extension filters, potentially resulting in the malicious upload and execution of malicious files on the server. | |||||
| CVE-2019-7849 | 1 Magento | 1 Magento | 2019-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules. This impacts Magento 1.x prior to 1.9.4.2, Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to 2.3.2. | |||||
| CVE-2019-7913 | 1 Magento | 1 Magento | 2019-08-07 | 6.5 MEDIUM | 7.2 HIGH |
| A server-side request forgery (SSRF) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with admin privileges to manipulate shipment methods to execute arbitrary code. | |||||
| CVE-2019-7892 | 1 Magento | 1 Magento | 2019-08-07 | 6.5 MEDIUM | 7.2 HIGH |
| A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to access shipment settings can execute arbitrary code via server-side request forgery. | |||||
| CVE-2019-7885 | 1 Magento | 1 Magento | 2019-08-07 | 6.5 MEDIUM | 8.8 HIGH |
| Insufficient input validation in the config builder of the Elastic search module could lead to remote code execution in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This vulnerability could be abused by an authenticated user with the ability to configure the catalog search. | |||||
| CVE-2019-7923 | 1 Magento | 1 Magento | 2019-08-07 | 6.5 MEDIUM | 7.2 HIGH |
| A server-side request forgery (SSRF) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by authenticated user with admin privileges to manipulate shipment settings to execute arbitrary code. | |||||
| CVE-2019-7930 | 1 Magento | 1 Magento | 2019-08-07 | 9.0 HIGH | 7.2 HIGH |
| A file upload restriction bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to the import feature can make modifications to a configuration file, resulting in potentially unauthorized removal of file upload restrictions. This can result in arbitrary code execution when a malicious file is then uploaded and executed on the system. | |||||
| CVE-2019-7861 | 1 Magento | 1 Magento | 2019-08-06 | 5.0 MEDIUM | 7.5 HIGH |
| Insufficient server-side validation of user input could allow an attacker to bypass file upload restrictions in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | |||||
| CVE-2019-7859 | 1 Magento | 1 Magento | 2019-08-06 | 5.0 MEDIUM | 7.5 HIGH |
| A path traversal vulnerability in the WYSIWYG editor for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could result in unauthorized access to uploaded images due to insufficient access control. | |||||
| CVE-2019-7865 | 1 Magento | 1 Magento | 2019-08-06 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability exists in the checkout cart item of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited at the time of editing or configuration. | |||||
| CVE-2016-6485 | 1 Magento | 1 Magento2 | 2018-07-10 | 5.0 MEDIUM | 7.5 HIGH |
| The __construct function in Framework/Encryption/Crypt.php in Magento 2 uses the PHP rand function to generate a random number for the initialization vector, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by guessing the value. | |||||