Filtered by vendor Magento
Subscribe
Total
222 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-7935 | 1 Magento | 1 Magento | 2019-08-07 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify content page titles to inject malicious javascript. | |||||
CVE-2019-7887 | 1 Magento | 1 Magento | 2019-08-07 | 3.5 LOW | 4.8 MEDIUM |
A reflected cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 when the feature that adds a secret key to the Admin URL is disabled. | |||||
CVE-2019-7938 | 1 Magento | 1 Magento | 2019-08-07 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify catalog price rules to inject malicious javascript. | |||||
CVE-2019-7940 | 1 Magento | 1 Magento | 2019-08-07 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify store currency options to inject malicious javascript. | |||||
CVE-2019-7944 | 1 Magento | 1 Magento | 2019-08-07 | 3.5 LOW | 5.4 MEDIUM |
A stored cross-site scripting vulnerability exists in the product comments field of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the Return Product comments field can inject malicious javascript. | |||||
CVE-2019-7945 | 1 Magento | 1 Magento | 2019-08-07 | 3.5 LOW | 5.4 MEDIUM |
A stored cross-cite scripting vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to modify currency symbols can inject malicious javascript. | |||||
CVE-2019-7873 | 1 Magento | 1 Magento | 2019-08-07 | 5.8 MEDIUM | 4.3 MEDIUM |
A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can result in unintended deletion of the store design schedule. | |||||
CVE-2019-7923 | 1 Magento | 1 Magento | 2019-08-07 | 6.5 MEDIUM | 7.2 HIGH |
A server-side request forgery (SSRF) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by authenticated user with admin privileges to manipulate shipment settings to execute arbitrary code. | |||||
CVE-2019-7930 | 1 Magento | 1 Magento | 2019-08-07 | 9.0 HIGH | 7.2 HIGH |
A file upload restriction bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to the import feature can make modifications to a configuration file, resulting in potentially unauthorized removal of file upload restrictions. This can result in arbitrary code execution when a malicious file is then uploaded and executed on the system. | |||||
CVE-2019-7861 | 1 Magento | 1 Magento | 2019-08-06 | 5.0 MEDIUM | 7.5 HIGH |
Insufficient server-side validation of user input could allow an attacker to bypass file upload restrictions in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | |||||
CVE-2019-7862 | 1 Magento | 1 Magento | 2019-08-06 | 3.5 LOW | 4.8 MEDIUM |
A reflected cross-site scripting vulnerability exists in the Product widget chooser functionality in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | |||||
CVE-2019-7853 | 1 Magento | 1 Magento | 2019-08-06 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to the tax notifications configuration in the Magento admin panel. | |||||
CVE-2019-7863 | 1 Magento | 1 Magento | 2019-08-06 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to products and categories. | |||||
CVE-2019-7851 | 1 Magento | 1 Magento | 2019-08-06 | 5.8 MEDIUM | 6.5 MEDIUM |
A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unintended data deletion from customer pages. | |||||
CVE-2019-7852 | 1 Magento | 1 Magento | 2019-08-06 | 5.0 MEDIUM | 5.3 MEDIUM |
A path disclosure vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Requests for a specific file path could result in a redirect to the URL of the Magento admin panel, disclosing its location to potentially unauthorized parties. | |||||
CVE-2019-7857 | 1 Magento | 1 Magento | 2019-08-06 | 4.3 MEDIUM | 4.3 MEDIUM |
A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can cause unwanted items to be added to a shopper's cart due to an insufficiently robust anti-CSRF token implementation. | |||||
CVE-2019-7859 | 1 Magento | 1 Magento | 2019-08-06 | 5.0 MEDIUM | 7.5 HIGH |
A path traversal vulnerability in the WYSIWYG editor for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could result in unauthorized access to uploaded images due to insufficient access control. | |||||
CVE-2019-7865 | 1 Magento | 1 Magento | 2019-08-06 | 6.8 MEDIUM | 8.8 HIGH |
A cross-site request forgery (CSRF) vulnerability exists in the checkout cart item of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited at the time of editing or configuration. | |||||
CVE-2019-7866 | 1 Magento | 1 Magento | 2019-08-06 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to edit Product information via the TinyMCE editor. | |||||
CVE-2019-7867 | 1 Magento | 1 Magento | 2019-08-06 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to manage orders and order status. |