Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Magento Subscribe
Total 222 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-28567 1 Magento 1 Magento 2021-09-14 4.0 MEDIUM 6.5 MEDIUM
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Improper Authorization vulnerability in the customers module. Successful exploitation could allow a low-privileged user to modify customer data. Access to the admin console is required for successful exploitation.
CVE-2019-7888 1 Magento 1 Magento 2021-07-21 4.0 MEDIUM 6.5 MEDIUM
An information disclosure vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to create email templates could leak sensitive data via a malicious email template.
CVE-2019-7886 1 Magento 1 Magento 2021-07-21 5.0 MEDIUM 7.5 HIGH
A cryptograhic flaw exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A weak cryptograhic mechanism is used to generate the intialization vector in multiple security relevant contexts.
CVE-2020-9692 1 Magento 1 Magento 2021-07-21 8.5 HIGH 6.5 MEDIUM
Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2019-8124 1 Magento 1 Magento 2021-07-21 4.0 MEDIUM 4.9 MEDIUM
An insufficient logging and monitoring vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Failure to track admin actions related to design configuration could lead to repudiation attacks.
CVE-2020-9587 1 Magento 1 Magento 2021-07-21 5.0 MEDIUM 7.5 HIGH
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have an authorization bypass vulnerability. Successful exploitation could lead to potentially unauthorized product discounts.
CVE-2020-9583 1 Magento 1 Magento 2021-07-21 7.5 HIGH 9.8 CRITICAL
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2020-9591 1 Magento 1 Magento 2021-07-21 5.0 MEDIUM 7.5 HIGH
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a defense-in-depth security mitigation vulnerability. Successful exploitation could lead to unauthorized access to admin panel.
CVE-2020-9578 1 Magento 1 Magento 2021-07-21 7.5 HIGH 9.8 CRITICAL
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2019-7951 1 Magento 1 Magento 2021-07-21 5.0 MEDIUM 7.5 HIGH
An information leakage vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A SOAP web service endpoint does not properly enforce parameters related to access control. This could be abused to leak customer information via crafted SOAP requests.
CVE-2020-9582 1 Magento 1 Magento 2021-07-21 7.5 HIGH 9.8 CRITICAL
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2020-9630 1 Magento 1 Magento 2021-07-21 7.5 HIGH 9.8 CRITICAL
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a business logic error vulnerability. Successful exploitation could lead to privilege escalation.
CVE-2019-7942 1 Magento 1 Magento 2021-07-21 6.5 MEDIUM 7.2 HIGH
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create or edit a product can execute arbitrary code via malicious XML layout updates.
CVE-2019-7932 1 Magento 1 Magento 2021-07-21 6.5 MEDIUM 7.2 HIGH
A remote code execution vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create sitemaps can execute arbitrary PHP code by creating a malicious sitemap file.
CVE-2019-7858 1 Magento 1 Magento 2021-07-21 5.0 MEDIUM 7.5 HIGH
A cryptographic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to 2.3.2 resulted in storage of sensitive information with an algorithm that is insufficiently resistant to brute force attacks.
CVE-2019-7903 1 Magento 1 Magento 2021-07-21 6.5 MEDIUM 7.2 HIGH
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to email templates can execute arbitrary code by previewing a malicious template.
CVE-2019-7855 1 Magento 1 Magento 2021-07-21 5.0 MEDIUM 5.3 MEDIUM
A cryptograhic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could be abused by an unauthenticated user to discover an invariant used in gift card generation.
CVE-2020-9576 1 Magento 1 Magento 2021-07-21 7.5 HIGH 9.8 CRITICAL
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2019-7860 1 Magento 1 Magento 2021-07-21 5.0 MEDIUM 7.5 HIGH
A cryptographically weak pseudo-rando number generator is used in multiple security relevant contexts in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
CVE-2019-8126 1 Magento 1 Magento 2021-07-21 4.0 MEDIUM 4.9 MEDIUM
An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure.