CVE-2019-7877
Description
Stored XSS in Magento admin panel allows authenticated users with order management privileges to inject malicious JavaScript.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Magento admin panel allows authenticated users with order management privileges to inject malicious JavaScript.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, and Magento 2.3 prior to 2.3.2 [1][2]. An authenticated user with privileges to manage orders can inject malicious JavaScript into order-related fields, which is then stored and executed when other admin users view the affected order [2].
Exploitation
An attacker must be authenticated and have the necessary privileges to manage orders in the Magento admin panel [2]. The attacker can inject malicious JavaScript into input fields such as order comments or customer details. When another admin user accesses the order page, the injected script executes in the context of that user's session [1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the admin panel of other users. This can lead to session hijacking, theft of sensitive data, or further compromise of the Magento instance [1][2]. The attack is stored, meaning the malicious payload persists and affects all subsequent viewers of the affected order.
Mitigation
The vulnerability is fixed in Magento 2.1.18, 2.2.9, and 2.3.2, released on August 2, 2019 [1]. Users should upgrade to these versions or later. No workaround is documented in the available references [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.1, < 2.1.18 | 2.1.18 |
magento/community-editionPackagist | >= 2.2, < 2.2.9 | 2.2.9 |
magento/community-editionPackagist | >= 2.3, < 2.3.2 | 2.3.2 |
Affected products
2- Range: Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
6- github.com/advisories/GHSA-v5m6-2m78-4vr2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-7877ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7877.yamlghsaWEB
- magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13ghsaWEB
- magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23mitrex_refsource_CONFIRM
- web.archive.org/web/20220121051916/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23ghsaWEB
News mentions
0No linked articles in our index yet.