CVE-2019-7869
Description
Magento admin panel stored XSS in customer group management allows authenticated users with group permissions to execute arbitrary JavaScript.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Magento admin panel stored XSS in customer group management allows authenticated users with group permissions to execute arbitrary JavaScript.
A stored cross-site scripting (XSS) vulnerability exists in the admin panel of Magento Open Source and Adobe Commerce versions 2.1 prior to 2.1.18, 2.2 prior to 2.2.9, and 2.3 prior to 2.3.2. The vulnerability is rooted in improper sanitization of user-supplied input when managing customer groups, allowing an authenticated user with the necessary permissions to inject malicious scripts that are stored on the server and later executed in the browsers of other users [1][3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.1.0, < 2.1.18 | 2.1.18 |
magento/community-editionPackagist | >= 2.2.0, < 2.2.9 | 2.2.9 |
magento/community-editionPackagist | >= 2.3.0, < 2.3.2 | 2.3.2 |
Affected products
2- Range: Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-9f4p-3jgf-98f5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-7869ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7869.yamlghsaWEB
- magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.