VYPR

Packagist (Composer) package

magento/community-edition

pkg:composer/magento/community-edition

Vulnerabilities (355)

  • CVE-2020-3719Jan 29, 2020
    affected >= 2.3.0, < 2.3.4fixed 2.3.4

    Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have an sql injection vulnerability. Successful exploitation could lead to sensitive information disclosure.

  • CVE-2020-3718Jan 29, 2020
    affected >= 2.3.0, < 2.3.4fixed 2.3.4

    Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a security bypass vulnerability. Successful exploitation could lead to arbitrary code execution.

  • CVE-2020-3717Jan 29, 2020
    affected >= 2.2.0, < 2.2.11fixed 2.2.11

    Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a path traversal vulnerability. Successful exploitation could lead to sensitive information disclosure.

  • CVE-2020-3716Jan 29, 2020
    affected >= 2.2.0, < 2.2.11fixed 2.2.11

    Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.

  • CVE-2020-3715Jan 29, 2020
    affected >= 2.3.0, < 2.3.4fixed 2.3.4

    Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.

  • CVE-2019-8132Nov 6, 2019
    affected >= 2.2.0, < 2.2.10fixed 2.2.10

    A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft malicious payload in the template Name field for Email template in the "Design Configuration" dashboard.

  • CVE-2019-8145Nov 6, 2019
    affected >= 2.2, < 2.2.10fixed 2.2.10

    A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into the attribute set name when listing the products.

  • CVE-2019-8158Nov 6, 2019
    affected >= 2.2.0, < 2.2.10fixed 2.2.10

    An XPath entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An attacker can craft a GET request to page cache block rendering module that gets passed to XML data processing engine without validation. The crafted key/value

  • CVE-2019-8157Nov 6, 2019
    affected >= 2.2, < 2.2.10fixed 2.2.10

    A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate downloadable link and cause an invocation of error handling that acceses user input without sanitization.

  • CVE-2019-8156Nov 6, 2019
    affected >= 2.2.0, < 2.2.10fixed 2.2.10

    A server-side request forgery (SSRF) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to modify store configurations can manipulate the connector api endpoint to enable remote code execution.

  • CVE-2019-8159Nov 6, 2019
    affected >= 2.2, < 2.2.10fixed 2.2.10

    A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with system data manipulation privileges can execute aribitrary code through arbitrary file deletion and OS command injection.

  • CVE-2019-8228Nov 5, 2019
    affected < 1.9.4.3fixed 1.9.4.3

    in Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code into transactional email page when creating a new email template or editing existing email template.

  • CVE-2019-8229Nov 5, 2019
    affected < 1.9.4.3fixed 1.9.4.3

    In Magento prior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit product attributes can execute arbitrary code through crafted layout updates.

  • CVE-2019-8232Nov 5, 2019
    affected >= 2.2.0, < 2.2.10fixed 2.2.10

    In Magento prior to 1.9.4.3, Magento prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, and Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an authenticated user with administrative privileges for the import feature can execute arbitrary code through a race condition that allows webserver c

  • CVE-2019-8233Nov 5, 2019
    affected >= 2.2, < 2.2.10fixed 2.2.10

    In Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an unauthenticated user can inject arbitrary JavaScript code as a result of the sanitization engine ignoring HTML comments.

  • CVE-2019-8154Nov 5, 2019
    affected >= 2.2.0, < 2.2.10fixed 2.2.10

    A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to modify product catalogs can trigger PHP file inclusion through a crafted XML file that specifies product design update.

  • CVE-2019-8153Nov 5, 2019
    affected >= 2.2.0, < 2.2.10fixed 2.2.10

    A mitigation bypass to prevent cross-site scripting (XSS) exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Successful exploitation of this vulnerability would result in an attacker being able to bypass the `escapeURL()` function and execute a malicio

  • CVE-2019-8152Nov 5, 2019
    affected >= 2.2.0, < 2.2.10fixed 2.2.10

    A stored cross-site scripting (XSS) vulnerability exists in in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to the wysiwyg editor can abuse the blockDirective() function and inject

  • CVE-2019-8151Nov 5, 2019
    affected >= 2.2.0, < 2.2.10fixed 2.2.10

    A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to manipulate shippment settings can execute arbitrary code through server-side request forgery due to unsafe handling

  • CVE-2019-8150Nov 5, 2019
    affected >= 2.2.0, < 2.2.10fixed 2.2.10

    A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate layouts and images can insert a malicious payload into the page layout.

Page 12 of 18