CVE-2019-7866
Description
Stored XSS in Magento admin panel allows authenticated users with product edit access to inject malicious JavaScript via TinyMCE editor.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Magento admin panel allows authenticated users with product edit access to inject malicious JavaScript via TinyMCE editor.
Vulnerability
Overview
CVE-2019-7866 is a stored cross-site scripting (XSS) vulnerability in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, and Magento 2.3 prior to 2.3.2 [2]. The flaw resides in the TinyMCE editor used for editing product information, where an authenticated user with privileges to modify product data can inject arbitrary JavaScript [2].
Exploitation
To exploit this vulnerability, an attacker must have an authenticated session with administrative access to the Magento backend and the ability to edit product information [2]. The injected script is stored on the server and executed when other admin users view the affected product page, making it a persistent XSS attack [2]. No special network position is required beyond access to the admin panel.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's admin session. This can lead to session hijacking, theft of sensitive data, defacement, or further compromise of the Magento instance [1][2]. The CVSSv3 severity is rated 5.5 (Medium) [1].
Mitigation
Adobe released security updates in Magento 2.1.18, 2.2.9, and 2.3.2 that address this vulnerability [1][4]. Users are strongly advised to upgrade to these patched versions. As of the advisory publication, no known active exploitation has been reported [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.1.0, < 2.1.18 | 2.1.18 |
magento/community-editionPackagist | >= 2.2.0, < 2.2.9 | 2.2.9 |
magento/community-editionPackagist | >= 2.3.0, < 2.3.2 | 2.3.2 |
Affected products
2- Range: Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-3ccx-7588-r6c6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-7866ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7866.yamlghsaWEB
- magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20220121051916/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23ghsaWEB
News mentions
0No linked articles in our index yet.