Total
219 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-7915 | 1 Magento | 1 Magento | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
A denial-of-service vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Under certain conditions, an unauthenticated attacker could force the Magento store's full page cache to serve a 404 page to customers. | |||||
CVE-2019-7888 | 1 Magento | 1 Magento | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
An information disclosure vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to create email templates could leak sensitive data via a malicious email template. | |||||
CVE-2019-7861 | 1 Magento | 1 Magento | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
Insufficient server-side validation of user input could allow an attacker to bypass file upload restrictions in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | |||||
CVE-2019-7882 | 1 Magento | 1 Magento | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
A stored cross-site scripting vulnerability exists in the WYSIWYG editor of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the editor can inject malicious SWF files. | |||||
CVE-2019-7849 | 1 Magento | 1 Magento | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules. This impacts Magento 1.x prior to 1.9.4.2, Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to 2.3.2. | |||||
CVE-2019-7921 | 1 Magento | 1 Magento | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
A stored cross-site scripting vulnerability exists in the product catalog form of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to the product catalog to inject malicious javascript. | |||||
CVE-2019-7877 | 1 Magento | 1 Magento | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manage orders can inject malicious javascript. | |||||
CVE-2019-7867 | 1 Magento | 1 Magento | 2024-02-04 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to manage orders and order status. | |||||
CVE-2019-7951 | 1 Magento | 1 Magento | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
An information leakage vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A SOAP web service endpoint does not properly enforce parameters related to access control. This could be abused to leak customer information via crafted SOAP requests. | |||||
CVE-2019-7854 | 1 Magento | 1 Magento | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
An insecure direct object reference (IDOR) vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unauthorized disclosure of company credit history details. | |||||
CVE-2019-7947 | 1 Magento | 1 Magento | 2024-02-04 | 4.3 MEDIUM | 6.5 MEDIUM |
A cross-site request forgery vulnerability exists in the GiftCardAccount removal feature for Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | |||||
CVE-2019-7898 | 1 Magento | 1 Magento | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
Samples of disabled downloadable products are accessible in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to inadequate validation of user input. | |||||
CVE-2019-7852 | 1 Magento | 1 Magento | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
A path disclosure vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Requests for a specific file path could result in a redirect to the URL of the Magento admin panel, disclosing its location to potentially unauthorized parties. | |||||
CVE-2019-7863 | 1 Magento | 1 Magento | 2024-02-04 | 3.5 LOW | 4.8 MEDIUM |
A stored cross-site scripting vulnerability exists in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to products and categories. | |||||
CVE-2019-7855 | 1 Magento | 1 Magento | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
A cryptograhic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could be abused by an unauthenticated user to discover an invariant used in gift card generation. | |||||
CVE-2019-7881 | 1 Magento | 1 Magento | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
A cross-site scripting mitigation bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user to escalate privileges (admin vs. admin XSS attack). | |||||
CVE-2019-7928 | 1 Magento | 1 Magento | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
A denial-of-service (DoS) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. By abusing insufficient brute-forcing defenses in the token exchange protocol, an unauthenticated attacker could disrupt transactions between the Magento merchant and PayPal. | |||||
CVE-2019-7858 | 1 Magento | 1 Magento | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
A cryptographic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to 2.3.2 resulted in storage of sensitive information with an algorithm that is insufficiently resistant to brute force attacks. | |||||
CVE-2019-7892 | 1 Magento | 1 Magento | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to access shipment settings can execute arbitrary code via server-side request forgery. | |||||
CVE-2019-7945 | 1 Magento | 1 Magento | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
A stored cross-cite scripting vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to modify currency symbols can inject malicious javascript. |