CVE-2019-7873
Description
A CSRF vulnerability in Magento 2.1-2.3.2 allows an attacker to trick an admin into unintentionally deleting the store design schedule.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A CSRF vulnerability in Magento 2.1-2.3.2 allows an attacker to trick an admin into unintentionally deleting the store design schedule.
Vulnerability
Overview
A cross-site request forgery (CSRF) vulnerability exists in Magento versions 2.1 prior to 2.1.18, 2.2 prior to 2.2.9, and 2.3 prior to 2.3.2 [1][2]. The vulnerability stems from an insecure token implementation (PRODSECBUG-2171) that fails to properly validate the origin of requests, allowing an attacker to perform unauthorized actions on behalf of an authenticated administrator [1].
Exploitation
An attacker can exploit this flaw by crafting a malicious web page or link that, when visited by an authenticated Magento admin, triggers a forged request to the victim's store [2]. No special network position is required; the attack can be delivered via email, a compromised site, or any vector that causes the admin to load the attacker's content while their session is active [1]. The specific impact is the unintended deletion of the store design schedule [2].
Impact
Successful exploitation results in the loss of the store's design schedule configuration, potentially disrupting planned theme or layout changes, causing downtime or requiring manual reconfiguration [2]. The CVSS v3 severity is not explicitly listed for this issue, but it is considered a moderate-risk CSRF [1].
Mitigation
Adobe released patches fixing this vulnerability as part of the Magento 2.3.2, 2.2.9, and 2.1.18 security updates on August 2, 2019 [1][2]. Users should upgrade to the latest patched version to mitigate the risk. No workarounds are documented [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.1.0, < 2.1.18 | 2.1.18 |
magento/community-editionPackagist | >= 2.2.0, < 2.2.9 | 2.2.9 |
magento/community-editionPackagist | >= 2.3.0, < 2.3.2 | 2.3.2 |
Affected products
2- Range: Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-8578-mmf4-f327ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-7873ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7873.yamlghsaWEB
- magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20220121011306/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33ghsaWEB
News mentions
0No linked articles in our index yet.