Filtered by vendor Magento
Subscribe
Search
Total
110 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-8152 | 1 Magento | 1 Magento | 2019-11-07 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to the wysiwyg editor can abuse the blockDirective() function and inject malicious javascript in the cache of the admin dashboard. | |||||
| CVE-2019-8153 | 1 Magento | 1 Magento | 2019-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| A mitigation bypass to prevent cross-site scripting (XSS) exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Successful exploitation of this vulnerability would result in an attacker being able to bypass the `escapeURL()` function and execute a malicious XSS payload. | |||||
| CVE-2019-8113 | 1 Magento | 1 Magento | 2019-11-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 uses cryptographically weak random number generator to brute-force the confirmation code for customer registration. | |||||
| CVE-2019-8090 | 1 Magento | 1 Magento | 2019-11-07 | 5.5 MEDIUM | 6.5 MEDIUM |
| An arbitrary file deletion vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated users can manipulate the design layout update feature. | |||||
| CVE-2019-8138 | 1 Magento | 1 Magento | 2019-11-07 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can execute arbitrary JavaScript code by providing arbitrary API endpoint that will not be chcecked by sale pickup event. | |||||
| CVE-2019-8092 | 1 Magento | 1 Magento | 2019-11-07 | 3.5 LOW | 5.4 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via email template preview. | |||||
| CVE-2019-8129 | 1 Magento | 1 Magento | 2019-11-07 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting an embedded expression into a translation. | |||||
| CVE-2019-8131 | 1 Magento | 1 Magento | 2019-11-07 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into code field of an inventory source. | |||||
| CVE-2019-8148 | 1 Magento | 1 Magento | 2019-11-07 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when creating a content page via page builder. | |||||
| CVE-2019-8139 | 1 Magento | 1 Magento | 2019-11-07 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary Javascript code into the dynamic block when invoking page builder on a product. | |||||
| CVE-2019-8132 | 1 Magento | 1 Magento | 2019-11-07 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft malicious payload in the template Name field for Email template in the "Design Configuration" dashboard. | |||||
| CVE-2019-8143 | 1 Magento | 1 Magento | 2019-11-06 | 4.0 MEDIUM | 6.5 MEDIUM |
| A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to email templates can send malicious SQL queries and obtain access to sensitive information stored in the database. | |||||
| CVE-2019-8142 | 1 Magento | 1 Magento | 2019-11-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via title of an order when configuring sales payment methods for a store. | |||||
| CVE-2019-8146 | 1 Magento | 1 Magento | 2019-11-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code when adding a new customer attribute for stores. | |||||
| CVE-2019-8145 | 1 Magento | 1 Magento | 2019-11-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into the attribute set name when listing the products. | |||||
| CVE-2019-8147 | 1 Magento | 1 Magento | 2019-11-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via customer attribute label. | |||||
| CVE-2019-8128 | 1 Magento | 1 Magento | 2019-11-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting malicious Javascript into the name of main website. | |||||
| CVE-2019-8157 | 1 Magento | 1 Magento | 2019-11-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate downloadable link and cause an invocation of error handling that acceses user input without sanitization. | |||||
| CVE-2019-8115 | 1 Magento | 1 Magento | 2019-11-06 | 3.5 LOW | 4.8 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when adding an image for during simple product creation. | |||||
| CVE-2019-8117 | 1 Magento | 1 Magento | 2019-11-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticates user can inject arbitrary JavaScript code via product view id specification. | |||||
| CVE-2019-8120 | 1 Magento | 1 Magento | 2019-11-06 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user can inject arbitrary Javascript code by manipulating section of a POST request related to customer's email address. | |||||
| CVE-2019-7889 | 1 Magento | 1 Magento | 2019-08-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| An injection vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with marketing manipulation privileges can invoke methods that alter data of the underlying model followed by corresponding database modifications. | |||||
| CVE-2019-7897 | 1 Magento | 1 Magento | 2019-08-09 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to customer configurations to inject malicious javascript. | |||||
| CVE-2019-7898 | 1 Magento | 1 Magento | 2019-08-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| Samples of disabled downloadable products are accessible in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to inadequate validation of user input. | |||||
| CVE-2019-7899 | 1 Magento | 1 Magento | 2019-08-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| Names of disabled downloadable products could be disclosed due to inadequate validation of user input in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | |||||
| CVE-2019-7909 | 1 Magento | 1 Magento | 2019-08-09 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to email templates. | |||||
| CVE-2019-7947 | 1 Magento | 1 Magento | 2019-08-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability exists in the GiftCardAccount removal feature for Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | |||||
| CVE-2019-7882 | 1 Magento | 1 Magento | 2019-08-07 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting vulnerability exists in the WYSIWYG editor of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the editor can inject malicious SWF files. | |||||
| CVE-2019-7874 | 1 Magento | 1 Magento | 2019-08-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can result in unintended deletion of user roles. | |||||
| CVE-2019-7934 | 1 Magento | 1 Magento | 2019-08-07 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to edit newsletter templates to inject malicious javascript. | |||||
| CVE-2019-7875 | 1 Magento | 1 Magento | 2019-08-07 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to newsletter templates. | |||||
| CVE-2019-7881 | 1 Magento | 1 Magento | 2019-08-07 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting mitigation bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user to escalate privileges (admin vs. admin XSS attack). | |||||
| CVE-2019-7935 | 1 Magento | 1 Magento | 2019-08-07 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify content page titles to inject malicious javascript. | |||||
| CVE-2019-7887 | 1 Magento | 1 Magento | 2019-08-07 | 3.5 LOW | 4.8 MEDIUM |
| A reflected cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 when the feature that adds a secret key to the Admin URL is disabled. | |||||
| CVE-2019-7938 | 1 Magento | 1 Magento | 2019-08-07 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify catalog price rules to inject malicious javascript. | |||||
| CVE-2019-7940 | 1 Magento | 1 Magento | 2019-08-07 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify store currency options to inject malicious javascript. | |||||
| CVE-2019-7944 | 1 Magento | 1 Magento | 2019-08-07 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting vulnerability exists in the product comments field of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the Return Product comments field can inject malicious javascript. | |||||
| CVE-2019-7945 | 1 Magento | 1 Magento | 2019-08-07 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-cite scripting vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to modify currency symbols can inject malicious javascript. | |||||
| CVE-2019-7873 | 1 Magento | 1 Magento | 2019-08-07 | 5.8 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can result in unintended deletion of the store design schedule. | |||||
| CVE-2019-7862 | 1 Magento | 1 Magento | 2019-08-06 | 3.5 LOW | 4.8 MEDIUM |
| A reflected cross-site scripting vulnerability exists in the Product widget chooser functionality in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | |||||
| CVE-2019-7853 | 1 Magento | 1 Magento | 2019-08-06 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross-site scripting vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to the tax notifications configuration in the Magento admin panel. | |||||
| CVE-2019-7863 | 1 Magento | 1 Magento | 2019-08-06 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross-site scripting vulnerability exists in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to products and categories. | |||||
| CVE-2019-7851 | 1 Magento | 1 Magento | 2019-08-06 | 5.8 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unintended data deletion from customer pages. | |||||
| CVE-2019-7852 | 1 Magento | 1 Magento | 2019-08-06 | 5.0 MEDIUM | 5.3 MEDIUM |
| A path disclosure vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Requests for a specific file path could result in a redirect to the URL of the Magento admin panel, disclosing its location to potentially unauthorized parties. | |||||
| CVE-2019-7857 | 1 Magento | 1 Magento | 2019-08-06 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can cause unwanted items to be added to a shopper's cart due to an insufficiently robust anti-CSRF token implementation. | |||||
| CVE-2019-7866 | 1 Magento | 1 Magento | 2019-08-06 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to edit Product information via the TinyMCE editor. | |||||
| CVE-2019-7867 | 1 Magento | 1 Magento | 2019-08-06 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to manage orders and order status. | |||||
| CVE-2019-7868 | 1 Magento | 1 Magento | 2019-08-06 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with permissions to manage tax rules. | |||||
| CVE-2019-7877 | 1 Magento | 1 Magento | 2019-08-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manage orders can inject malicious javascript. | |||||
| CVE-2019-7880 | 1 Magento | 1 Magento | 2019-08-06 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to marketing email templates to inject malicious javascript. | |||||