Filtered by vendor Magento
Subscribe
Total
224 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-7935 | 1 Magento | 1 Magento | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify content page titles to inject malicious javascript.
|
|||||
| CVE-2019-7934 | 1 Magento | 1 Magento | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to edit newsletter templates to inject malicious javascript.
|
|||||
| CVE-2019-7932 | 1 Magento | 1 Magento | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
A remote code execution vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create sitemaps can execute arbitrary PHP code by creating a malicious sitemap file.
|
|||||
| CVE-2019-7930 | 1 Magento | 1 Magento | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
|
A file upload restriction bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to the import feature can make modifications to a configuration file, resulting in potentially unauthorized removal of file upload restrictions. This can result in arbitrary code execution when a malicious file is then uploaded and executed on the system.
|
|||||
| CVE-2019-7929 | 1 Magento | 1 Magento | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
An information leakage vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges may be able to view metadata of a trusted device used by another administrator via a crafted http request.
|
|||||
| CVE-2019-7928 | 1 Magento | 1 Magento | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A denial-of-service (DoS) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. By abusing insufficient brute-forcing defenses in the token exchange protocol, an unauthenticated attacker could disrupt transactions between the Magento merchant and PayPal.
|
|||||
| CVE-2019-7927 | 1 Magento | 1 Magento | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to edit product content pages to inject malicious javascript.
|
|||||
| CVE-2019-7926 | 1 Magento | 1 Magento | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify node attributes to inject malicious javascript.
|
|||||
| CVE-2019-7925 | 1 Magento | 1 Magento | 2024-11-21 | 5.5 MEDIUM | 4.9 MEDIUM |
|
An insecure direct object reference (IDOR) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an administrator with limited privileges to delete the downloadable products folder.
|
|||||
| CVE-2019-7923 | 1 Magento | 1 Magento | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
A server-side request forgery (SSRF) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by authenticated user with admin privileges to manipulate shipment settings to execute arbitrary code.
|
|||||
| CVE-2019-7921 | 1 Magento | 1 Magento | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A stored cross-site scripting vulnerability exists in the product catalog form of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to the product catalog to inject malicious javascript.
|
|||||
| CVE-2019-7915 | 1 Magento | 1 Magento | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A denial-of-service vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Under certain conditions, an unauthenticated attacker could force the Magento store's full page cache to serve a 404 page to customers.
|
|||||
| CVE-2019-7913 | 1 Magento | 1 Magento | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
A server-side request forgery (SSRF) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with admin privileges to manipulate shipment methods to execute arbitrary code.
|
|||||
| CVE-2019-7912 | 1 Magento | 1 Magento | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
A file upload filter bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with admin privileges to edit configuration keys to remove file extension filters, potentially resulting in the malicious upload and execution of malicious files on the server.
|
|||||
| CVE-2019-7911 | 1 Magento | 1 Magento | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
A server-side request forgery (SSRF) vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to the admin panel to manipulate system configuration and execute arbitrary code.
|
|||||
| CVE-2019-7909 | 1 Magento | 1 Magento | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to email templates.
|
|||||
| CVE-2019-7908 | 1 Magento | 1 Magento | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify product information.
|
|||||
| CVE-2019-7904 | 1 Magento | 1 Magento | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
|
Insufficient enforcement of user access controls in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could enable a low-privileged user to make unauthorized environment configuration changes.
|
|||||
| CVE-2019-7903 | 1 Magento | 1 Magento | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to email templates can execute arbitrary code by previewing a malicious template.
|
|||||
| CVE-2019-7899 | 1 Magento | 1 Magento | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Names of disabled downloadable products could be disclosed due to inadequate validation of user input in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
|
|||||
| CVE-2019-7898 | 1 Magento | 1 Magento | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Samples of disabled downloadable products are accessible in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to inadequate validation of user input.
|
|||||
| CVE-2019-7897 | 1 Magento | 1 Magento | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to customer configurations to inject malicious javascript.
|
|||||
| CVE-2019-7896 | 1 Magento | 1 Magento | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to layouts can execute arbitrary code through a combination of product import, crafted csv file and XML layout update.
|
|||||
| CVE-2019-7895 | 1 Magento | 1 Magento | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to layouts can execute arbitrary code through a crafted XML layout update.
|
|||||
| CVE-2019-7892 | 1 Magento | 1 Magento | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to access shipment settings can execute arbitrary code via server-side request forgery.
|
|||||
| CVE-2019-7890 | 1 Magento | 1 Magento | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
|
An Insecure Direct Object Reference (IDOR) vulnerability exists in the order processing workflow of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can lead to unauthorized access to order details.
|
|||||
| CVE-2019-7889 | 1 Magento | 1 Magento | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
An injection vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with marketing manipulation privileges can invoke methods that alter data of the underlying model followed by corresponding database modifications.
|
|||||
| CVE-2019-7888 | 1 Magento | 1 Magento | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
An information disclosure vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to create email templates could leak sensitive data via a malicious email template.
|
|||||
| CVE-2019-7887 | 1 Magento | 1 Magento | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
A reflected cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 when the feature that adds a secret key to the Admin URL is disabled.
|
|||||
| CVE-2019-7886 | 1 Magento | 1 Magento | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A cryptograhic flaw exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A weak cryptograhic mechanism is used to generate the intialization vector in multiple security relevant contexts.
|
|||||
| CVE-2019-7885 | 1 Magento | 1 Magento | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Insufficient input validation in the config builder of the Elastic search module could lead to remote code execution in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This vulnerability could be abused by an authenticated user with the ability to configure the catalog search.
|
|||||
| CVE-2019-7882 | 1 Magento | 1 Magento | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A stored cross-site scripting vulnerability exists in the WYSIWYG editor of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the editor can inject malicious SWF files.
|
|||||
| CVE-2019-7881 | 1 Magento | 1 Magento | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A cross-site scripting mitigation bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user to escalate privileges (admin vs. admin XSS attack).
|
|||||
| CVE-2019-7880 | 1 Magento | 1 Magento | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to marketing email templates to inject malicious javascript.
|
|||||
| CVE-2019-7877 | 1 Magento | 1 Magento | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manage orders can inject malicious javascript.
|
|||||
| CVE-2019-7876 | 1 Magento | 1 Magento | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manipulate layouts can insert a malicious payload into the layout.
|
|||||
| CVE-2019-7875 | 1 Magento | 1 Magento | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to newsletter templates.
|
|||||
| CVE-2019-7874 | 1 Magento | 1 Magento | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can result in unintended deletion of user roles.
|
|||||
| CVE-2019-7873 | 1 Magento | 1 Magento | 2024-11-21 | 5.8 MEDIUM | 4.3 MEDIUM |
|
A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can result in unintended deletion of the store design schedule.
|
|||||
| CVE-2019-7872 | 1 Magento | 1 Magento | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
|
An insecure direct object reference (IDOR) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to insufficient authorizations checks. This can be abused by a user with admin privileges to add users to company accounts or modify existing user details.
|
|||||