Packagist (Composer) package
magento/community-edition
pkg:composer/magento/community-edition
Vulnerabilities (355)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-7888 | — | >= 2.1, < 2.1.18 | 2.1.18 | Aug 2, 2019 | An information disclosure vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to create email templates could leak sensitive data via a malicious email template. | ||
| CVE-2019-7887 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A reflected cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 when the feature that adds a secret key to | ||
| CVE-2019-7886 | — | >= 2.1, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A cryptograhic flaw exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A weak cryptograhic mechanism is used to generate the intialization vector in multiple security relevant contexts. | ||
| CVE-2019-7885 | — | >= 2.1, < 2.1.18 | 2.1.18 | Aug 2, 2019 | Insufficient input validation in the config builder of the Elastic search module could lead to remote code execution in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This vulnerability could be abused by an authenticated user with the abilit | ||
| CVE-2019-7882 | — | >= 2.1, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A stored cross-site scripting vulnerability exists in the WYSIWYG editor of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to | ||
| CVE-2019-7881 | — | >= 2.1, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A cross-site scripting mitigation bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user to escalate privileges (admin vs. admin XSS attack). | ||
| CVE-2019-7880 | — | >= 2.1, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to marketing email templates to inject malicious javascri | ||
| CVE-2019-7877 | — | >= 2.1, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manage orders can inject malicious javascript. | ||
| CVE-2019-7876 | — | >= 2.1, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manipulate layouts can insert a malicious payload into the layout. | ||
| CVE-2019-7875 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated | ||
| CVE-2019-7874 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can result in unintended deletion of user roles. | ||
| CVE-2019-7873 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can result in unintended deletion of the store design schedule. | ||
| CVE-2019-7872 | — | >= 2.1, < 2.1.18 | 2.1.18 | Aug 2, 2019 | An insecure direct object reference (IDOR) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to insufficient authorizations checks. This can be abused by a user with admin privileges to add users to company accounts or | ||
| CVE-2019-7871 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A security bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 that could be abused to execute arbitrary PHP code. An authenticated user can bypass security protections that prevent arbitrary PHP script upload via form data injecti | ||
| CVE-2019-7869 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with permissions to manage customer groups. | ||
| CVE-2019-7868 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with permissions to manage tax rules. | ||
| CVE-2019-7867 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to manage orders and order status. | ||
| CVE-2019-7866 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to edit Product information via the TinyMCE editor. | ||
| CVE-2019-7865 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | A cross-site request forgery (CSRF) vulnerability exists in the checkout cart item of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited at the time of editing or configuration. | ||
| CVE-2019-7864 | — | >= 2.1.0, < 2.1.18 | 2.1.18 | Aug 2, 2019 | An insecure direct object reference (IDOR) vulnerability exists in the RSS feeds of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can lead to unauthorized access to order details. |
- CVE-2019-7888Aug 2, 2019affected >= 2.1, < 2.1.18fixed 2.1.18
An information disclosure vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to create email templates could leak sensitive data via a malicious email template.
- CVE-2019-7887Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
A reflected cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 when the feature that adds a secret key to
- CVE-2019-7886Aug 2, 2019affected >= 2.1, < 2.1.18fixed 2.1.18
A cryptograhic flaw exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A weak cryptograhic mechanism is used to generate the intialization vector in multiple security relevant contexts.
- CVE-2019-7885Aug 2, 2019affected >= 2.1, < 2.1.18fixed 2.1.18
Insufficient input validation in the config builder of the Elastic search module could lead to remote code execution in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This vulnerability could be abused by an authenticated user with the abilit
- CVE-2019-7882Aug 2, 2019affected >= 2.1, < 2.1.18fixed 2.1.18
A stored cross-site scripting vulnerability exists in the WYSIWYG editor of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to
- CVE-2019-7881Aug 2, 2019affected >= 2.1, < 2.1.18fixed 2.1.18
A cross-site scripting mitigation bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user to escalate privileges (admin vs. admin XSS attack).
- CVE-2019-7880Aug 2, 2019affected >= 2.1, < 2.1.18fixed 2.1.18
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to marketing email templates to inject malicious javascri
- CVE-2019-7877Aug 2, 2019affected >= 2.1, < 2.1.18fixed 2.1.18
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manage orders can inject malicious javascript.
- CVE-2019-7876Aug 2, 2019affected >= 2.1, < 2.1.18fixed 2.1.18
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manipulate layouts can insert a malicious payload into the layout.
- CVE-2019-7875Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated
- CVE-2019-7874Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can result in unintended deletion of user roles.
- CVE-2019-7873Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can result in unintended deletion of the store design schedule.
- CVE-2019-7872Aug 2, 2019affected >= 2.1, < 2.1.18fixed 2.1.18
An insecure direct object reference (IDOR) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to insufficient authorizations checks. This can be abused by a user with admin privileges to add users to company accounts or
- CVE-2019-7871Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
A security bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 that could be abused to execute arbitrary PHP code. An authenticated user can bypass security protections that prevent arbitrary PHP script upload via form data injecti
- CVE-2019-7869Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with permissions to manage customer groups.
- CVE-2019-7868Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with permissions to manage tax rules.
- CVE-2019-7867Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to manage orders and order status.
- CVE-2019-7866Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to edit Product information via the TinyMCE editor.
- CVE-2019-7865Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
A cross-site request forgery (CSRF) vulnerability exists in the checkout cart item of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited at the time of editing or configuration.
- CVE-2019-7864Aug 2, 2019affected >= 2.1.0, < 2.1.18fixed 2.1.18
An insecure direct object reference (IDOR) vulnerability exists in the RSS feeds of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can lead to unauthorized access to order details.
Page 17 of 18