CVE-2019-7868
Description
Authenticated admin users with tax rule permissions can store malicious XSS in Magento's admin panel, impacting versions prior to 2.3.2, 2.2.9, and 2.1.18.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated admin users with tax rule permissions can store malicious XSS in Magento's admin panel, impacting versions prior to 2.3.2, 2.2.9, and 2.1.18.
Vulnerability
Analysis
This vulnerability is a stored cross-site scripting (XSS) flaw in the admin panel of Magento, an Adobe Commerce platform. It affects versions 2.1 before 2.1.18, 2.2 before 2.2.9, and 2.3 before 2.3.2 [1]. The root cause lies in insufficient sanitization of user input within the tax rule management interface, allowing an authenticated user to inject arbitrary JavaScript or HTML that is subsequently stored and executed when other admin users view the affected page.
Attack
Vector
Exploitation requires an authenticated user with permissions to manage tax rules [1]. This is a privilege that is typically held by administrators or other high-level backend users. The attacker submits a crafted payload via a tax rule field, which the application stores in the database without proper encoding. When another administrator (or the same administrator later) loads the tax rule configuration page, the payload executes in their browser session within the context of the admin panel.
Impact
A successful attack can lead to session hijacking, defacement, or the exfiltration of sensitive data accessible within the admin interface. Since the exploit executes in the context of the authenticated admin session, the attacker could potentially perform any action that the victim admin is authorized to do, such as modifying store configurations, accessing customer data, or creating new admin accounts [1][4].
Mitigation
Adobe released security updates to fix this vulnerability as part of the Magento 2.3.2, 2.2.9, and 2.1.18 releases [4]. Users are strongly advised to upgrade their Magento installations to these or later versions. No workaround is documented, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.1.0, < 2.1.18 | 2.1.18 |
magento/community-editionPackagist | >= 2.2.0, < 2.2.9 | 2.2.9 |
magento/community-editionPackagist | >= 2.3.0, < 2.3.2 | 2.3.2 |
Affected products
2- Range: Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-g4jh-vxqm-6fffghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-7868ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7868.yamlghsaWEB
- magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.