Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Magento Subscribe
Total 222 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2016-10704 1 Magento 1 Magento 2019-11-15 4.3 MEDIUM 6.1 MEDIUM
Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have XSS via e-mail templates that are mishandled during a preview, aka APPSEC-1503.
CVE-2019-8136 1 Magento 1 Magento 2019-11-08 7.5 HIGH 9.8 CRITICAL
An insecure component vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Magento 2 codebase leveraged outdated versions of HTTP specification abstraction implemented in symphony component.
CVE-2019-8118 1 Magento 1 Magento 2019-11-08 5.0 MEDIUM 5.3 MEDIUM
Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 uses weak cryptographic function to store the failed login attempts for customer accounts.
CVE-2019-8227 1 Magento 1 Magento 2019-11-08 3.5 LOW 4.8 MEDIUM
In Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code via import / export functionality when creating profile action XML.
CVE-2019-8112 1 Magento 1 Magento 2019-11-08 5.0 MEDIUM 7.5 HIGH
A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can bypass the email confirmation mechanism via GET request that captures relevant account data obtained from the POST response related to new user creation.
CVE-2019-8233 1 Magento 1 Magento 2019-11-07 4.3 MEDIUM 6.1 MEDIUM
In Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an unauthenticated user can inject arbitrary JavaScript code as a result of the sanitization engine ignoring HTML comments.
CVE-2019-8156 1 Magento 1 Magento 2019-11-07 6.5 MEDIUM 7.2 HIGH
A server-side request forgery (SSRF) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to modify store configurations can manipulate the connector api endpoint to enable remote code execution.
CVE-2019-8158 1 Magento 1 Magento 2019-11-07 7.5 HIGH 9.8 CRITICAL
An XPath entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An attacker can craft a GET request to page cache block rendering module that gets passed to XML data processing engine without validation. The crafted key/value GET request data allows an attacker to limited access to underlying XML data.
CVE-2019-8140 1 Magento 1 Magento 2019-11-07 4.0 MEDIUM 4.9 MEDIUM
An unrestricted file upload vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can manipulate the Synchronization feature in the Media File Storage of the database to transform uploaded JPEG file into a PHP file.
CVE-2019-8228 1 Magento 1 Magento 2019-11-07 3.5 LOW 4.8 MEDIUM
in Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code into transactional email page when creating a new email template or editing existing email template.
CVE-2019-8109 1 Magento 1 Magento 2019-11-07 6.0 MEDIUM 8.0 HIGH
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft a malicious CSRF payload that can result in arbitrary command execution.
CVE-2019-8127 1 Magento 1 Magento 2019-11-07 6.5 MEDIUM 8.8 HIGH
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to an account with Newsletter Template editing permission could exfiltrate the Admin login data, and reset their password, effectively performing a privilege escalation.
CVE-2019-8108 1 Magento 1 Magento 2019-11-07 4.0 MEDIUM 6.5 MEDIUM
Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate session validation setting for a storefront that leads to insecure authentication and session management.
CVE-2019-8151 1 Magento 1 Magento 2019-11-07 6.5 MEDIUM 7.2 HIGH
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to manipulate shippment settings can execute arbitrary code through server-side request forgery due to unsafe handling of a carrier gateway.
CVE-2019-8152 1 Magento 1 Magento 2019-11-07 3.5 LOW 5.4 MEDIUM
A stored cross-site scripting (XSS) vulnerability exists in in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to the wysiwyg editor can abuse the blockDirective() function and inject malicious javascript in the cache of the admin dashboard.
CVE-2019-8153 1 Magento 1 Magento 2019-11-07 4.3 MEDIUM 6.1 MEDIUM
A mitigation bypass to prevent cross-site scripting (XSS) exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Successful exploitation of this vulnerability would result in an attacker being able to bypass the `escapeURL()` function and execute a malicious XSS payload.
CVE-2019-8113 1 Magento 1 Magento 2019-11-07 5.0 MEDIUM 5.3 MEDIUM
Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 uses cryptographically weak random number generator to brute-force the confirmation code for customer registration.
CVE-2019-8159 1 Magento 1 Magento 2019-11-07 9.0 HIGH 8.8 HIGH
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with system data manipulation privileges can execute aribitrary code through arbitrary file deletion and OS command injection.
CVE-2019-8090 1 Magento 1 Magento 2019-11-07 5.5 MEDIUM 6.5 MEDIUM
An arbitrary file deletion vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated users can manipulate the design layout update feature.
CVE-2019-8138 1 Magento 1 Magento 2019-11-07 3.5 LOW 5.4 MEDIUM
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can execute arbitrary JavaScript code by providing arbitrary API endpoint that will not be chcecked by sale pickup event.