Packagist (Composer) package
magento/community-edition
pkg:composer/magento/community-edition
Vulnerabilities (355)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-3719 | — | >= 2.3.0, < 2.3.4 | 2.3.4 | Jan 29, 2020 | Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have an sql injection vulnerability. Successful exploitation could lead to sensitive information disclosure. | ||
| CVE-2020-3718 | — | >= 2.3.0, < 2.3.4 | 2.3.4 | Jan 29, 2020 | Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a security bypass vulnerability. Successful exploitation could lead to arbitrary code execution. | ||
| CVE-2020-3717 | — | >= 2.2.0, < 2.2.11 | 2.2.11 | Jan 29, 2020 | Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a path traversal vulnerability. Successful exploitation could lead to sensitive information disclosure. | ||
| CVE-2020-3716 | — | >= 2.2.0, < 2.2.11 | 2.2.11 | Jan 29, 2020 | Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution. | ||
| CVE-2020-3715 | — | >= 2.3.0, < 2.3.4 | 2.3.4 | Jan 29, 2020 | Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | ||
| CVE-2019-8132 | — | >= 2.2.0, < 2.2.10 | 2.2.10 | Nov 6, 2019 | A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft malicious payload in the template Name field for Email template in the "Design Configuration" dashboard. | ||
| CVE-2019-8145 | — | >= 2.2, < 2.2.10 | 2.2.10 | Nov 6, 2019 | A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into the attribute set name when listing the products. | ||
| CVE-2019-8158 | — | >= 2.2.0, < 2.2.10 | 2.2.10 | Nov 6, 2019 | An XPath entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An attacker can craft a GET request to page cache block rendering module that gets passed to XML data processing engine without validation. The crafted key/value | ||
| CVE-2019-8157 | — | >= 2.2, < 2.2.10 | 2.2.10 | Nov 6, 2019 | A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate downloadable link and cause an invocation of error handling that acceses user input without sanitization. | ||
| CVE-2019-8156 | — | >= 2.2.0, < 2.2.10 | 2.2.10 | Nov 6, 2019 | A server-side request forgery (SSRF) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to modify store configurations can manipulate the connector api endpoint to enable remote code execution. | ||
| CVE-2019-8159 | — | >= 2.2, < 2.2.10 | 2.2.10 | Nov 6, 2019 | A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with system data manipulation privileges can execute aribitrary code through arbitrary file deletion and OS command injection. | ||
| CVE-2019-8228 | — | < 1.9.4.3 | 1.9.4.3 | Nov 5, 2019 | in Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code into transactional email page when creating a new email template or editing existing email template. | ||
| CVE-2019-8229 | — | < 1.9.4.3 | 1.9.4.3 | Nov 5, 2019 | In Magento prior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit product attributes can execute arbitrary code through crafted layout updates. | ||
| CVE-2019-8232 | — | >= 2.2.0, < 2.2.10 | 2.2.10 | Nov 5, 2019 | In Magento prior to 1.9.4.3, Magento prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, and Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an authenticated user with administrative privileges for the import feature can execute arbitrary code through a race condition that allows webserver c | ||
| CVE-2019-8233 | — | >= 2.2, < 2.2.10 | 2.2.10 | Nov 5, 2019 | In Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an unauthenticated user can inject arbitrary JavaScript code as a result of the sanitization engine ignoring HTML comments. | ||
| CVE-2019-8154 | — | >= 2.2.0, < 2.2.10 | 2.2.10 | Nov 5, 2019 | A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to modify product catalogs can trigger PHP file inclusion through a crafted XML file that specifies product design update. | ||
| CVE-2019-8153 | — | >= 2.2.0, < 2.2.10 | 2.2.10 | Nov 5, 2019 | A mitigation bypass to prevent cross-site scripting (XSS) exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Successful exploitation of this vulnerability would result in an attacker being able to bypass the `escapeURL()` function and execute a malicio | ||
| CVE-2019-8152 | — | >= 2.2.0, < 2.2.10 | 2.2.10 | Nov 5, 2019 | A stored cross-site scripting (XSS) vulnerability exists in in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to the wysiwyg editor can abuse the blockDirective() function and inject | ||
| CVE-2019-8151 | — | >= 2.2.0, < 2.2.10 | 2.2.10 | Nov 5, 2019 | A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to manipulate shippment settings can execute arbitrary code through server-side request forgery due to unsafe handling | ||
| CVE-2019-8150 | — | >= 2.2.0, < 2.2.10 | 2.2.10 | Nov 5, 2019 | A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate layouts and images can insert a malicious payload into the page layout. |
- CVE-2020-3719Jan 29, 2020affected >= 2.3.0, < 2.3.4fixed 2.3.4
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have an sql injection vulnerability. Successful exploitation could lead to sensitive information disclosure.
- CVE-2020-3718Jan 29, 2020affected >= 2.3.0, < 2.3.4fixed 2.3.4
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a security bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
- CVE-2020-3717Jan 29, 2020affected >= 2.2.0, < 2.2.11fixed 2.2.11
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a path traversal vulnerability. Successful exploitation could lead to sensitive information disclosure.
- CVE-2020-3716Jan 29, 2020affected >= 2.2.0, < 2.2.11fixed 2.2.11
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.
- CVE-2020-3715Jan 29, 2020affected >= 2.3.0, < 2.3.4fixed 2.3.4
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
- CVE-2019-8132Nov 6, 2019affected >= 2.2.0, < 2.2.10fixed 2.2.10
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft malicious payload in the template Name field for Email template in the "Design Configuration" dashboard.
- CVE-2019-8145Nov 6, 2019affected >= 2.2, < 2.2.10fixed 2.2.10
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into the attribute set name when listing the products.
- CVE-2019-8158Nov 6, 2019affected >= 2.2.0, < 2.2.10fixed 2.2.10
An XPath entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An attacker can craft a GET request to page cache block rendering module that gets passed to XML data processing engine without validation. The crafted key/value
- CVE-2019-8157Nov 6, 2019affected >= 2.2, < 2.2.10fixed 2.2.10
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate downloadable link and cause an invocation of error handling that acceses user input without sanitization.
- CVE-2019-8156Nov 6, 2019affected >= 2.2.0, < 2.2.10fixed 2.2.10
A server-side request forgery (SSRF) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to modify store configurations can manipulate the connector api endpoint to enable remote code execution.
- CVE-2019-8159Nov 6, 2019affected >= 2.2, < 2.2.10fixed 2.2.10
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with system data manipulation privileges can execute aribitrary code through arbitrary file deletion and OS command injection.
- CVE-2019-8228Nov 5, 2019affected < 1.9.4.3fixed 1.9.4.3
in Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code into transactional email page when creating a new email template or editing existing email template.
- CVE-2019-8229Nov 5, 2019affected < 1.9.4.3fixed 1.9.4.3
In Magento prior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit product attributes can execute arbitrary code through crafted layout updates.
- CVE-2019-8232Nov 5, 2019affected >= 2.2.0, < 2.2.10fixed 2.2.10
In Magento prior to 1.9.4.3, Magento prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, and Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an authenticated user with administrative privileges for the import feature can execute arbitrary code through a race condition that allows webserver c
- CVE-2019-8233Nov 5, 2019affected >= 2.2, < 2.2.10fixed 2.2.10
In Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an unauthenticated user can inject arbitrary JavaScript code as a result of the sanitization engine ignoring HTML comments.
- CVE-2019-8154Nov 5, 2019affected >= 2.2.0, < 2.2.10fixed 2.2.10
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to modify product catalogs can trigger PHP file inclusion through a crafted XML file that specifies product design update.
- CVE-2019-8153Nov 5, 2019affected >= 2.2.0, < 2.2.10fixed 2.2.10
A mitigation bypass to prevent cross-site scripting (XSS) exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Successful exploitation of this vulnerability would result in an attacker being able to bypass the `escapeURL()` function and execute a malicio
- CVE-2019-8152Nov 5, 2019affected >= 2.2.0, < 2.2.10fixed 2.2.10
A stored cross-site scripting (XSS) vulnerability exists in in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to the wysiwyg editor can abuse the blockDirective() function and inject
- CVE-2019-8151Nov 5, 2019affected >= 2.2.0, < 2.2.10fixed 2.2.10
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to manipulate shippment settings can execute arbitrary code through server-side request forgery due to unsafe handling
- CVE-2019-8150Nov 5, 2019affected >= 2.2.0, < 2.2.10fixed 2.2.10
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate layouts and images can insert a malicious payload into the page layout.
Page 12 of 18