VYPR

Packagist (Composer) package

magento/community-edition

pkg:composer/magento/community-edition

Vulnerabilities (355)

  • CVE-2019-7926Aug 2, 2019
    affected >= 2.1.0, < 2.1.18fixed 2.1.18

    A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify node attributes to inject malicious javascript.

  • CVE-2019-7925Aug 2, 2019
    affected >= 2.1, < 2.1.18fixed 2.1.18

    An insecure direct object reference (IDOR) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an administrator with limited privileges to delete the downloadable products folder.

  • CVE-2019-7923Aug 2, 2019
    affected >= 2.1.0, < 2.1.18fixed 2.1.18

    A server-side request forgery (SSRF) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by authenticated user with admin privileges to manipulate shipment settings to execute arbitrary code.

  • CVE-2019-7921Aug 2, 2019
    affected >= 2.1.0, < 2.1.18fixed 2.1.18

    A stored cross-site scripting vulnerability exists in the product catalog form of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to the product catalog to inject malicious javas

  • CVE-2019-7915Aug 2, 2019
    affected >= 2.1.0, < 2.1.18fixed 2.1.18

    A denial-of-service vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Under certain conditions, an unauthenticated attacker could force the Magento store's full page cache to serve a 404 page to customers.

  • CVE-2019-7913Aug 2, 2019
    affected >= 2.1.0, < 2.1.18fixed 2.1.18

    A server-side request forgery (SSRF) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with admin privileges to manipulate shipment methods to execute arbitrary code.

  • CVE-2019-7912Aug 2, 2019
    affected >= 2.1, < 2.1.18fixed 2.1.18

    A file upload filter bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with admin privileges to edit configuration keys to remove file extension filters, potentially resulting in th

  • CVE-2019-7911Aug 2, 2019
    affected >= 2.1.0, < 2.1.18fixed 2.1.18

    A server-side request forgery (SSRF) vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with acce

  • CVE-2019-7909Aug 2, 2019
    affected >= 2.1.0, < 2.1.18fixed 2.1.18

    A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated

  • CVE-2019-7908Aug 2, 2019
    affected >= 2.1.0, < 2.1.18fixed 2.1.18

    A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify product information.

  • CVE-2019-7904Aug 2, 2019
    affected >= 2.1.0, < 2.1.18fixed 2.1.18

    Insufficient enforcement of user access controls in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could enable a low-privileged user to make unauthorized environment configuration changes.

  • CVE-2019-7903Aug 2, 2019
    affected >= 2.1.0, < 2.1.18fixed 2.1.18

    A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to email templates can execute arbitrary code by previewing a malicious template.

  • CVE-2019-7899Aug 2, 2019
    affected >= 2.1.0, < 2.1.18fixed 2.1.18

    Names of disabled downloadable products could be disclosed due to inadequate validation of user input in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

  • CVE-2019-7898Aug 2, 2019
    affected >= 2.1, < 2.1.18fixed 2.1.18

    Samples of disabled downloadable products are accessible in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to inadequate validation of user input.

  • CVE-2019-7897Aug 2, 2019
    affected >= 2.1.0, < 2.1.18fixed 2.1.18

    A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated

  • CVE-2019-7896Aug 2, 2019
    affected >= 2.1, < 2.1.18fixed 2.1.18

    A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to layouts can execute arbitrary code through a combination of product import, crafted csv file

  • CVE-2019-7895Aug 2, 2019
    affected >= 2.1, < 2.1.18fixed 2.1.18

    A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to layouts can execute arbitrary code through a crafted XML layout update.

  • CVE-2019-7892Aug 2, 2019
    affected >= 2.1, < 2.1.18fixed 2.1.18

    A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to access shipment settings can execute arbitrary code via server-side request forgery.

  • CVE-2019-7890Aug 2, 2019
    affected >= 2.1, < 2.1.18fixed 2.1.18

    An Insecure Direct Object Reference (IDOR) vulnerability exists in the order processing workflow of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can lead to unauthorized access to order details.

  • CVE-2019-7889Aug 2, 2019
    affected >= 2.1.0, < 2.1.18fixed 2.1.18

    An injection vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with marketing manipulation privileges can invoke methods