Packagist (Composer) package
magento/community-edition
pkg:composer/magento/community-edition
Vulnerabilities (355)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-8127 | — | >= 2.2.0, < 2.2.10 | 2.2.10 | Nov 5, 2019 | A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to an account with Newsletter Template editing permission could exfiltrate the Admin login data, and reset their password, effectivel | ||
| CVE-2019-8126 | — | >= 2.2, < 2.2.10 | 2.2.10 | Nov 5, 2019 | An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow proces | ||
| CVE-2019-8124 | — | >= 2.1.0, < 2.1.19 | 2.1.19 | Nov 5, 2019 | An insufficient logging and monitoring vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Failure to track admin actions related to design configuration could lead to repudiation attacks. | ||
| CVE-2019-8123 | — | >= 2.1.0, < 2.1.19 | 2.1.19 | Nov 5, 2019 | An insufficient logging and monitoring vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. The logging feature required for effective monitoring did not contain sufficent data to ef | ||
| CVE-2019-8122 | — | >= 2.1.0, < 2.1.19 | 2.1.19 | Nov 5, 2019 | A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with privileges to create products can craft custom layout update and use import product functionality to enable remote code | ||
| CVE-2019-8121 | — | >= 2.2, < 2.2.10 | 2.2.10 | Nov 5, 2019 | An insecure component vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Magento 2 codebase leveraged outdated versions of JS libraries (Bootstrap, jquery, Knockout) with known security vulnerabilities. | ||
| CVE-2019-8120 | — | >= 2.1.0, < 2.1.19 | 2.1.19 | Nov 5, 2019 | A stored cross-site scripting (XSS) vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user can inject arbitrary Javascript code by manipulating section of a POST request related to customer's email addre | ||
| CVE-2019-8119 | — | >= 2.1.0, < 2.1.19 | 2.1.19 | Nov 5, 2019 | A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated admin user with import product privileges can delete files through bulk product import and inject code into XSLT file. The combin | ||
| CVE-2019-8118 | — | >= 2.1.0, < 2.1.19 | 2.1.19 | Nov 5, 2019 | Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 uses weak cryptographic function to store the failed login attempts for customer accounts. | ||
| CVE-2019-8117 | — | >= 2.2.0, < 2.2.10 | 2.2.10 | Nov 5, 2019 | A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticates user can inject arbitrary JavaScript code via product view id specification. | ||
| CVE-2019-8115 | — | >= 2.2.0, < 2.2.10 | 2.2.10 | Nov 5, 2019 | A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when adding an image for during simple product creation. | ||
| CVE-2019-8114 | — | < 1.9.4.3 | 1.9.4.3 | Nov 5, 2019 | A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to import features can execute arbitrary code via crafted configuration archiv | ||
| CVE-2019-8113 | — | >= 2.2.0, < 2.2.10 | 2.2.10 | Nov 5, 2019 | Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 uses cryptographically weak random number generator to brute-force the confirmation code for customer registration. | ||
| CVE-2019-8112 | — | >= 2.2.0, < 2.2.10 | 2.2.10 | Nov 5, 2019 | A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can bypass the email confirmation mechanism via GET request that captures relevant account data obtained from the POST response related to new us | ||
| CVE-2019-8111 | — | >= 2.2.0, < 2.2.10 | 2.2.10 | Nov 5, 2019 | A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage plugin functionality related to email templates to manipulate the interceptor class in a way that allows an attacker to execute | ||
| CVE-2019-8110 | — | >= 2.2.0, < 2.2.10 | 2.2.10 | Nov 5, 2019 | A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage email templates hierarchy to manipulate the interceptor class in a way that allows an attacker to execute arbitrary code. | ||
| CVE-2019-8109 | — | >= 2.2.0, < 2.2.10 | 2.2.10 | Nov 5, 2019 | A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft a malicious CSRF payload that can result in arbitrary command execution. | ||
| CVE-2019-8108 | — | >= 2.2, < 2.2.10 | 2.2.10 | Nov 5, 2019 | Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate session validation setting for a storefront that leads to insecure authentication and session managemen | ||
| CVE-2019-8107 | — | >= 2.2.0, < 2.2.10 | 2.2.10 | Nov 5, 2019 | An arbitrary file deletion vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with export data transfer privileges can craft a request to perform arbitrary file deletion. | ||
| CVE-2019-8093 | — | >= 2.2, < 2.2.10 | 2.2.10 | Nov 5, 2019 | An arbitrary file access vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage file upload controller for downloadable products to read/delete an arbitary files. |
- CVE-2019-8127Nov 5, 2019affected >= 2.2.0, < 2.2.10fixed 2.2.10
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to an account with Newsletter Template editing permission could exfiltrate the Admin login data, and reset their password, effectivel
- CVE-2019-8126Nov 5, 2019affected >= 2.2, < 2.2.10fixed 2.2.10
An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow proces
- CVE-2019-8124Nov 5, 2019affected >= 2.1.0, < 2.1.19fixed 2.1.19
An insufficient logging and monitoring vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Failure to track admin actions related to design configuration could lead to repudiation attacks.
- CVE-2019-8123Nov 5, 2019affected >= 2.1.0, < 2.1.19fixed 2.1.19
An insufficient logging and monitoring vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. The logging feature required for effective monitoring did not contain sufficent data to ef
- CVE-2019-8122Nov 5, 2019affected >= 2.1.0, < 2.1.19fixed 2.1.19
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with privileges to create products can craft custom layout update and use import product functionality to enable remote code
- CVE-2019-8121Nov 5, 2019affected >= 2.2, < 2.2.10fixed 2.2.10
An insecure component vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Magento 2 codebase leveraged outdated versions of JS libraries (Bootstrap, jquery, Knockout) with known security vulnerabilities.
- CVE-2019-8120Nov 5, 2019affected >= 2.1.0, < 2.1.19fixed 2.1.19
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user can inject arbitrary Javascript code by manipulating section of a POST request related to customer's email addre
- CVE-2019-8119Nov 5, 2019affected >= 2.1.0, < 2.1.19fixed 2.1.19
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated admin user with import product privileges can delete files through bulk product import and inject code into XSLT file. The combin
- CVE-2019-8118Nov 5, 2019affected >= 2.1.0, < 2.1.19fixed 2.1.19
Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 uses weak cryptographic function to store the failed login attempts for customer accounts.
- CVE-2019-8117Nov 5, 2019affected >= 2.2.0, < 2.2.10fixed 2.2.10
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticates user can inject arbitrary JavaScript code via product view id specification.
- CVE-2019-8115Nov 5, 2019affected >= 2.2.0, < 2.2.10fixed 2.2.10
A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when adding an image for during simple product creation.
- CVE-2019-8114Nov 5, 2019affected < 1.9.4.3fixed 1.9.4.3
A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to import features can execute arbitrary code via crafted configuration archiv
- CVE-2019-8113Nov 5, 2019affected >= 2.2.0, < 2.2.10fixed 2.2.10
Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 uses cryptographically weak random number generator to brute-force the confirmation code for customer registration.
- CVE-2019-8112Nov 5, 2019affected >= 2.2.0, < 2.2.10fixed 2.2.10
A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can bypass the email confirmation mechanism via GET request that captures relevant account data obtained from the POST response related to new us
- CVE-2019-8111Nov 5, 2019affected >= 2.2.0, < 2.2.10fixed 2.2.10
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage plugin functionality related to email templates to manipulate the interceptor class in a way that allows an attacker to execute
- CVE-2019-8110Nov 5, 2019affected >= 2.2.0, < 2.2.10fixed 2.2.10
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage email templates hierarchy to manipulate the interceptor class in a way that allows an attacker to execute arbitrary code.
- CVE-2019-8109Nov 5, 2019affected >= 2.2.0, < 2.2.10fixed 2.2.10
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft a malicious CSRF payload that can result in arbitrary command execution.
- CVE-2019-8108Nov 5, 2019affected >= 2.2, < 2.2.10fixed 2.2.10
Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate session validation setting for a storefront that leads to insecure authentication and session managemen
- CVE-2019-8107Nov 5, 2019affected >= 2.2.0, < 2.2.10fixed 2.2.10
An arbitrary file deletion vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with export data transfer privileges can craft a request to perform arbitrary file deletion.
- CVE-2019-8093Nov 5, 2019affected >= 2.2, < 2.2.10fixed 2.2.10
An arbitrary file access vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage file upload controller for downloadable products to read/delete an arbitary files.
Page 14 of 18