VYPR

Magento2

by Magento

Source repositories

CVEs (2)

  • CVE-2015-8707CriSep 26, 2017
    risk 0.64cvss 9.8epss 0.01

    Password reset tokens in Magento CE before 1.9.2.2, and Magento EE before 1.14.2.2 are passed via a GET request and not canceled after use, which allows remote attackers to obtain user passwords via a crafted external service with access to the referrer field.

  • CVE-2016-6485HigMar 1, 2017
    risk 0.49cvss 7.5epss 0.01

    The __construct function in Framework/Encryption/Crypt.php in Magento 2 uses the PHP rand function to generate a random number for the initialization vector, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by guessing the value.