CVE-2019-7867
Description
Stored XSS in Magento 2 admin panel allows authenticated users with order management access to inject malicious scripts; patched in versions 2.1.18, 2.2.9, and 2.3.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Magento 2 admin panel allows authenticated users with order management access to inject malicious scripts; patched in versions 2.1.18, 2.2.9, and 2.3.2.
Vulnerability
Description CVE-2019-7867 is a stored cross-site scripting (XSS) vulnerability in the admin panel of Magento 2.1 (prior to 2.1.18), 2.2 (prior to 2.2.9), and 2.3 (prior to 2.3.2). The vulnerability allows an authenticated user with privileges to manage orders and order status to inject arbitrary JavaScript into the admin interface [1][2].
Exploitation
The attack vector requires the attacker to have a valid authenticated session with permissions to modify order status. The injected script is stored on the server and executed when an administrator views the affected order management page, leading to XSS [1].
Impact
Successful exploitation could enable an attacker to execute malicious scripts in the context of the admin user's session, potentially allowing theft of sensitive data, unauthorized actions, or further compromise of the Magento installation [2].
Mitigation
Adobe released security updates that address this vulnerability: Magento 2.1.18, 2.2.9, and 2.3.2. Users are advised to upgrade immediately [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.1.0, < 2.1.18 | 2.1.18 |
magento/community-editionPackagist | >= 2.2.0, < 2.2.9 | 2.2.9 |
magento/community-editionPackagist | >= 2.3.0, < 2.3.2 | 2.3.2 |
Affected products
2- Range: Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-vx2g-f45p-j674ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-7867ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7867.yamlghsaWEB
- magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20220121051916/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23ghsaWEB
News mentions
0No linked articles in our index yet.