Packagist (Composer) package
magento/community-edition
pkg:composer/magento/community-edition
Vulnerabilities (355)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-8092 | — | >= 2.2.0, < 2.2.10 | 2.2.10 | Nov 5, 2019 | A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via email template preview. | ||
| CVE-2019-8090 | — | >= 2.2.0, < 2.2.10 | 2.2.10 | Nov 5, 2019 | An arbitrary file deletion vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated users can manipulate the design layout update feature. | ||
| CVE-2019-7853 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A stored cross-site scripting vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to the tax notifications configuration in the Magento admin panel. | ||
| CVE-2019-7951 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | An information leakage vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A SOAP web service endpoint does not properly enforce parameters related to access control. This could be abused to leak customer information via cr | ||
| CVE-2019-7950 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | An access control bypass vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An unauthenticated user can bypass access controls via REST API calls to assign themselves to an arbitrary company, thereby gaining read access to | ||
| CVE-2019-7947 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A cross-site request forgery vulnerability exists in the GiftCardAccount removal feature for Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | ||
| CVE-2019-7945 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A stored cross-cite scripting vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to modify currency symbol | ||
| CVE-2019-7944 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A stored cross-site scripting vulnerability exists in the product comments field of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privil | ||
| CVE-2019-7942 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create or edit a product can execute arbitrary code via malicious XML layout updates. | ||
| CVE-2019-7939 | — | >= 2.1, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A reflected cross-site scripting vulnerability exists on the customer cart checkout page of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by sending a victim a crafted URL that results in malicious javascript executio | ||
| CVE-2019-7938 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated | ||
| CVE-2019-7937 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to store product attributes to inject malicious javascrip | ||
| CVE-2019-7936 | — | >= 2.3.0, < 2.3.2 | 2.3.2 | Aug 2, 2019 | A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify content block titles to inject malicious javasc | ||
| CVE-2019-7935 | — | >= 2.1, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated | ||
| CVE-2019-7934 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated | ||
| CVE-2019-7932 | — | >= 2.1, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A remote code execution vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create sitemaps can ex | ||
| CVE-2019-7930 | — | >= 2.1, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A file upload restriction bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to the import feature can make modifications to a configuration file, resulting in potentially unaut | ||
| CVE-2019-7929 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | An information leakage vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges may be able to view metadata of a trusted device used by another administrator via a crafted htt | ||
| CVE-2019-7928 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A denial-of-service (DoS) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. By abusing insufficient brute-forcing defenses in the token exchange protocol, an unauthenticated attacker could disrupt transactions between the | ||
| CVE-2019-7927 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to edit product content pages to inject malicious javascr |
- CVE-2019-8092Nov 5, 2019affected >= 2.2.0, < 2.2.10fixed 2.2.10
A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via email template preview.
- CVE-2019-8090Nov 5, 2019affected >= 2.2.0, < 2.2.10fixed 2.2.10
An arbitrary file deletion vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated users can manipulate the design layout update feature.
- CVE-2019-7853Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
A stored cross-site scripting vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to the tax notifications configuration in the Magento admin panel.
- CVE-2019-7951Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
An information leakage vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A SOAP web service endpoint does not properly enforce parameters related to access control. This could be abused to leak customer information via cr
- CVE-2019-7950Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
An access control bypass vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An unauthenticated user can bypass access controls via REST API calls to assign themselves to an arbitrary company, thereby gaining read access to
- CVE-2019-7947Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
A cross-site request forgery vulnerability exists in the GiftCardAccount removal feature for Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
- CVE-2019-7945Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
A stored cross-cite scripting vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to modify currency symbol
- CVE-2019-7944Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
A stored cross-site scripting vulnerability exists in the product comments field of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privil
- CVE-2019-7942Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create or edit a product can execute arbitrary code via malicious XML layout updates.
- CVE-2019-7939Aug 2, 2019affected >= 2.1, < 2.1.18fixed 2.1.18
A reflected cross-site scripting vulnerability exists on the customer cart checkout page of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by sending a victim a crafted URL that results in malicious javascript executio
- CVE-2019-7938Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated
- CVE-2019-7937Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to store product attributes to inject malicious javascrip
- CVE-2019-7936Aug 2, 2019affected >= 2.3.0, < 2.3.2fixed 2.3.2
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify content block titles to inject malicious javasc
- CVE-2019-7935Aug 2, 2019affected >= 2.1, < 2.1.18fixed 2.1.18
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated
- CVE-2019-7934Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated
- CVE-2019-7932Aug 2, 2019affected >= 2.1, < 2.1.18fixed 2.1.18
A remote code execution vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create sitemaps can ex
- CVE-2019-7930Aug 2, 2019affected >= 2.1, < 2.1.18fixed 2.1.18
A file upload restriction bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to the import feature can make modifications to a configuration file, resulting in potentially unaut
- CVE-2019-7929Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
An information leakage vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges may be able to view metadata of a trusted device used by another administrator via a crafted htt
- CVE-2019-7928Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
A denial-of-service (DoS) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. By abusing insufficient brute-forcing defenses in the token exchange protocol, an unauthenticated attacker could disrupt transactions between the
- CVE-2019-7927Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to edit product content pages to inject malicious javascr
Page 15 of 18