Total
219 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-8108 | 1 Magento | 1 Magento | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate session validation setting for a storefront that leads to insecure authentication and session management. | |||||
CVE-2019-8133 | 1 Magento | 1 Magento | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with privileges to generate sitemaps can bypass configuration that restricts directory access. The bypass allows overwrite of a subset of configuration files which can lead to denial of service. | |||||
CVE-2019-8113 | 1 Magento | 1 Magento | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 uses cryptographically weak random number generator to brute-force the confirmation code for customer registration. | |||||
CVE-2019-8129 | 1 Magento | 1 Magento | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting an embedded expression into a translation. | |||||
CVE-2019-8115 | 1 Magento | 1 Magento | 2024-02-04 | 3.5 LOW | 4.8 MEDIUM |
A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when adding an image for during simple product creation. | |||||
CVE-2019-8227 | 1 Magento | 1 Magento | 2024-02-04 | 3.5 LOW | 4.8 MEDIUM |
In Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code via import / export functionality when creating profile action XML. | |||||
CVE-2019-8157 | 1 Magento | 1 Magento | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate downloadable link and cause an invocation of error handling that acceses user input without sanitization. | |||||
CVE-2019-8132 | 1 Magento | 1 Magento | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft malicious payload in the template Name field for Email template in the "Design Configuration" dashboard. | |||||
CVE-2020-3719 | 1 Magento | 1 Magento | 2024-02-04 | 7.8 HIGH | 7.5 HIGH |
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have an sql injection vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
CVE-2019-8109 | 1 Magento | 1 Magento | 2024-02-04 | 6.0 MEDIUM | 8.0 HIGH |
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft a malicious CSRF payload that can result in arbitrary command execution. | |||||
CVE-2019-8091 | 1 Magento | 1 Magento | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3. An authenticated admin user with privileges to access product attributes can leverage layout updates to trigger remote code execution. | |||||
CVE-2019-8123 | 1 Magento | 1 Magento | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
An insufficient logging and monitoring vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. The logging feature required for effective monitoring did not contain sufficent data to effectively track configuration changes. | |||||
CVE-2019-8141 | 1 Magento | 1 Magento | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with administrative privileges (system level import) can execute arbitrary code through a Phar deserialization vulnerability in the import functionality. | |||||
CVE-2019-8154 | 1 Magento | 1 Magento | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to modify product catalogs can trigger PHP file inclusion through a crafted XML file that specifies product design update. | |||||
CVE-2019-8112 | 1 Magento | 1 Magento | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can bypass the email confirmation mechanism via GET request that captures relevant account data obtained from the POST response related to new user creation. | |||||
CVE-2015-6497 | 2 Magento, Php | 2 Magento, Php | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
The create function in app/code/core/Mage/Catalog/Model/Product/Api/V2.php in Magento Community Edition (CE) before 1.9.2.1 and Enterprise Edition (EE) before 1.14.2.1, when used with PHP before 5.4.24 or 5.5.8, allows remote authenticated users to execute arbitrary PHP code via the productData parameter to index.php/api/v2_soap. | |||||
CVE-2020-3716 | 1 Magento | 1 Magento | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
CVE-2019-8144 | 1 Magento | 1 Magento | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
A remote code execution vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can insert a malicious payload through PageBuilder template methods. | |||||
CVE-2019-8229 | 1 Magento | 1 Magento | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
In Magento prior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit product attributes can execute arbitrary code through crafted layout updates. | |||||
CVE-2019-8126 | 1 Magento | 1 Magento | 2024-02-04 | 4.0 MEDIUM | 4.9 MEDIUM |
An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure. |