CVE-2019-7880
Description
Magento admin panel stored XSS allows authenticated users with marketing template privileges to inject arbitrary JavaScript.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Magento admin panel stored XSS allows authenticated users with marketing template privileges to inject arbitrary JavaScript.
Vulnerability
Overview
CVE-2019-7880 is a stored cross-site scripting (XSS) vulnerability in the Magento admin panel, affecting Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, and Magento 2.3 prior to 2.3.2 [1][2]. The root cause is insufficient sanitization of input within marketing email templates, allowing malicious JavaScript to be stored and later executed in the context of other admin users.
Exploitation
Exploitation requires an authenticated user with privileges to create or modify marketing email templates [1][2]. The attacker injects malicious script content into a template field, which is then stored on the server. When an administrator views the affected template (e.g., in preview or editing interfaces), the injected script executes in their browser session, bypassing the same-origin policy.
Impact
Successful exploitation leads to arbitrary JavaScript execution within the admin panel, potentially enabling an attacker to perform actions on behalf of the victim, access sensitive data, alter configurations, or escalate privileges within the Magento instance.
Mitigation
Adobe has released security patches fixing this vulnerability in Magento 2.3.2, 2.2.9, and 2.1.18 [1]. Users should upgrade to these or later versions. No workarounds are documented; the KEV catalog does not list this CVE.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.1, < 2.1.18 | 2.1.18 |
magento/community-editionPackagist | >= 2.2, < 2.2.9 | 2.2.9 |
magento/community-editionPackagist | >= 2.3, < 2.3.2 | 2.3.2 |
Affected products
2- Range: Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-ccjm-rgm5-rjjhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-7880ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7880.yamlghsaWEB
- magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20220121051916/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23ghsaWEB
News mentions
0No linked articles in our index yet.