Packagist (Composer) package

magento/community-edition

pkg:composer/magento/community-edition

Vulnerabilities (355)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2019-7863		—	>= 2.1, < 2.1.18	2.1.18	Aug 2, 2019	A stored cross-site scripting vulnerability exists in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to products and categories.
CVE-2019-7862		—	>= 2.1.0, < 2.1.18	2.1.18	Aug 2, 2019	A reflected cross-site scripting vulnerability exists in the Product widget chooser functionality in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
CVE-2019-7861		—	>= 2.1.0, < 2.1.18	2.1.18	Aug 2, 2019	Insufficient server-side validation of user input could allow an attacker to bypass file upload restrictions in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
CVE-2019-7860		—	>= 2.1.0, < 2.1.18	2.1.18	Aug 2, 2019	A cryptographically weak pseudo-rando number generator is used in multiple security relevant contexts in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
CVE-2019-7859		—	>= 2.1.0, < 2.1.18	2.1.18	Aug 2, 2019	A path traversal vulnerability in the WYSIWYG editor for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could result in unauthorized access to uploaded images due to insufficient access control.
CVE-2019-7858		—	>= 2.1.0, < 2.1.18	2.1.18	Aug 2, 2019	A cryptographic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to 2.3.2 resulted in storage of sensitive information with an algorithm that is insufficiently resistant to brute force attacks.
CVE-2019-7857		—	>= 2.2.0, < 2.2.9	2.2.9	Aug 2, 2019	A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can cause unwanted items to be added to a shopper's cart due to an insufficiently robust anti-CSRF token implementation.
CVE-2019-7855		—	>= 2.1.0, < 2.1.18	2.1.18	Aug 2, 2019	A cryptograhic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could be abused by an unauthenticated user to discover an invariant used in gift card generation.
CVE-2019-7854		—	>= 2.1.0, < 2.1.18	2.1.18	Aug 2, 2019	An insecure direct object reference (IDOR) vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unauthorized disclosure of company credit history details.
CVE-2019-7852		—	>= 2.1.0, < 2.1.18	2.1.18	Aug 2, 2019	A path disclosure vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Requests for a specific file path could result in a redirect to the URL of the Magento admin panel, disclosing its location to potentially unauthorized p
CVE-2019-7851		—	>= 2.1.0, < 2.1.18	2.1.18	Aug 2, 2019	A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unintended data deletion from customer pages.
CVE-2019-7849		—	>= 2.1.0, < 2.1.18	2.1.18	Aug 2, 2019	A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules. This impacts Magento 1.x prior to 1.9.4.2, Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to 2.3
CVE-2019-7139		—	>= 2.1.0, < 2.1.18	2.1.18	Apr 10, 2019	An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage. This issue is fixed in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
CVE-2018-5301		—	< 2.0.10	2.0.10	Jan 8, 2018	Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have CSRF resulting in deletion of a customer address from an address book, aka APPSEC-1433.
CVE-2016-6485	Hig	7.5	>= 2.0, < 2.2.6	2.2.6	Mar 1, 2017	The __construct function in Framework/Encryption/Crypt.php in Magento 2 uses the PHP rand function to generate a random number for the initialization vector, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by guessing the value.

CVE-2019-7863Aug 2, 2019
affected >= 2.1, < 2.1.18fixed 2.1.18
A stored cross-site scripting vulnerability exists in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to products and categories.
CVE-2019-7862Aug 2, 2019
affected >= 2.1.0, < 2.1.18fixed 2.1.18
A reflected cross-site scripting vulnerability exists in the Product widget chooser functionality in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
CVE-2019-7861Aug 2, 2019
affected >= 2.1.0, < 2.1.18fixed 2.1.18
Insufficient server-side validation of user input could allow an attacker to bypass file upload restrictions in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
CVE-2019-7860Aug 2, 2019
affected >= 2.1.0, < 2.1.18fixed 2.1.18
A cryptographically weak pseudo-rando number generator is used in multiple security relevant contexts in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
CVE-2019-7859Aug 2, 2019
affected >= 2.1.0, < 2.1.18fixed 2.1.18
A path traversal vulnerability in the WYSIWYG editor for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could result in unauthorized access to uploaded images due to insufficient access control.
CVE-2019-7858Aug 2, 2019
affected >= 2.1.0, < 2.1.18fixed 2.1.18
A cryptographic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to 2.3.2 resulted in storage of sensitive information with an algorithm that is insufficiently resistant to brute force attacks.
CVE-2019-7857Aug 2, 2019
affected >= 2.2.0, < 2.2.9fixed 2.2.9
A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can cause unwanted items to be added to a shopper's cart due to an insufficiently robust anti-CSRF token implementation.
CVE-2019-7855Aug 2, 2019
affected >= 2.1.0, < 2.1.18fixed 2.1.18
A cryptograhic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could be abused by an unauthenticated user to discover an invariant used in gift card generation.
CVE-2019-7854Aug 2, 2019
affected >= 2.1.0, < 2.1.18fixed 2.1.18
An insecure direct object reference (IDOR) vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unauthorized disclosure of company credit history details.
CVE-2019-7852Aug 2, 2019
affected >= 2.1.0, < 2.1.18fixed 2.1.18
A path disclosure vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Requests for a specific file path could result in a redirect to the URL of the Magento admin panel, disclosing its location to potentially unauthorized p
CVE-2019-7851Aug 2, 2019
affected >= 2.1.0, < 2.1.18fixed 2.1.18
A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unintended data deletion from customer pages.
CVE-2019-7849Aug 2, 2019
affected >= 2.1.0, < 2.1.18fixed 2.1.18
A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules. This impacts Magento 1.x prior to 1.9.4.2, Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to 2.3
CVE-2019-7139Apr 10, 2019
affected >= 2.1.0, < 2.1.18fixed 2.1.18
An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage. This issue is fixed in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
CVE-2018-5301Jan 8, 2018
affected < 2.0.10fixed 2.0.10
Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have CSRF resulting in deletion of a customer address from an address book, aka APPSEC-1433.
CVE-2016-6485HigMar 1, 2017
affected >= 2.0, < 2.2.6fixed 2.2.6
The __construct function in Framework/Encryption/Crypt.php in Magento 2 uses the PHP rand function to generate a random number for the initialization vector, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by guessing the value.

Page 18 of 18