Total
219 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-8118 | 1 Magento | 1 Magento | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 uses weak cryptographic function to store the failed login attempts for customer accounts. | |||||
CVE-2019-8127 | 1 Magento | 1 Magento | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to an account with Newsletter Template editing permission could exfiltrate the Admin login data, and reset their password, effectively performing a privilege escalation. | |||||
CVE-2019-8093 | 1 Magento | 1 Magento | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
An arbitrary file access vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage file upload controller for downloadable products to read/delete an arbitary files. | |||||
CVE-2019-8128 | 1 Magento | 1 Magento | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting malicious Javascript into the name of main website. | |||||
CVE-2019-8116 | 1 Magento | 1 Magento | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can leverage a guest session id value following a successful login to gain access to customer account index page. | |||||
CVE-2019-8130 | 1 Magento | 1 Magento | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with store manipulation privileges can execute arbitrary SQL queries by getting access to the database connection through group instance in email templates. | |||||
CVE-2020-3717 | 1 Magento | 1 Magento | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a path traversal vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
CVE-2020-3758 | 1 Magento | 1 Magento | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
CVE-2019-8124 | 1 Magento | 1 Magento | 2024-02-04 | 4.0 MEDIUM | 4.9 MEDIUM |
An insufficient logging and monitoring vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Failure to track admin actions related to design configuration could lead to repudiation attacks. | |||||
CVE-2019-8148 | 1 Magento | 1 Magento | 2024-02-04 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when creating a content page via page builder. | |||||
CVE-2019-8143 | 1 Magento | 1 Magento | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to email templates can send malicious SQL queries and obtain access to sensitive information stored in the database. | |||||
CVE-2019-8150 | 1 Magento | 1 Magento | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate layouts and images can insert a malicious payload into the page layout. | |||||
CVE-2019-8156 | 1 Magento | 1 Magento | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
A server-side request forgery (SSRF) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to modify store configurations can manipulate the connector api endpoint to enable remote code execution. | |||||
CVE-2019-8149 | 1 Magento | 1 Magento | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can append arbitrary session id that will not be invalidated by subsequent authentication. | |||||
CVE-2019-8131 | 1 Magento | 1 Magento | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into code field of an inventory source. | |||||
CVE-2019-8122 | 1 Magento | 1 Magento | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with privileges to create products can craft custom layout update and use import product functionality to enable remote code execution. | |||||
CVE-2019-8110 | 1 Magento | 1 Magento | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage email templates hierarchy to manipulate the interceptor class in a way that allows an attacker to execute arbitrary code. | |||||
CVE-2019-8228 | 1 Magento | 1 Magento | 2024-02-04 | 3.5 LOW | 4.8 MEDIUM |
in Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code into transactional email page when creating a new email template or editing existing email template. | |||||
CVE-2019-8114 | 1 Magento | 1 Magento | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to import features can execute arbitrary code via crafted configuration archive file upload. | |||||
CVE-2019-8158 | 1 Magento | 1 Magento | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
An XPath entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An attacker can craft a GET request to page cache block rendering module that gets passed to XML data processing engine without validation. The crafted key/value GET request data allows an attacker to limited access to underlying XML data. |