| CVE-2019-8227 | | 0.00 | — | 0.02 | | Nov 6, 2019 | In Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code via import / export functionality when creating profile action XML. |
| CVE-2019-8228 | | 0.00 | — | 0.02 | | Nov 5, 2019 | in Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code into transactional email page when creating a new email template or editing existing email template. |
| CVE-2019-8229 | | 0.00 | — | 0.00 | | Nov 5, 2019 | In Magento prior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit product attributes can execute arbitrary code through crafted layout updates. |
| CVE-2019-8230 | | 0.00 | — | 0.00 | | Nov 5, 2019 | In Magentoprior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit configuration settings can execute arbitrary code through a crafted support/output path. |
| CVE-2019-8231 | | 0.00 | — | 0.00 | | Nov 5, 2019 | In Magento to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification. |
| CVE-2019-8155 | | 0.00 | — | 0.00 | | Nov 5, 2019 | Magento prior to 1.9.4.3 and prior to 1.14.4.3 included a user's CSRF token in the URL of a GET request. This could be exploited by an attacker with access to network traffic to perform unauthorized actions. |
| CVE-2019-8125 | | 0.00 | — | 0.01 | | Nov 5, 2019 | A remote code execution vulnerability exists in Magento 1 prior to 1.9.x and 1.14.x. An authenticated admin user can modify configuration parameters via crafted support configuration. The modification can lead to remote code execution. |
| CVE-2019-8091 | | 0.00 | — | 0.01 | | Nov 5, 2019 | A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3. An authenticated admin user with privileges to access product attributes can leverage layout updates to trigger remote code execution. |
