Filtered by vendor Magento
Subscribe
Total
225 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-8153 | 1 Magento | 1 Magento | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
A mitigation bypass to prevent cross-site scripting (XSS) exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Successful exploitation of this vulnerability would result in an attacker being able to bypass the `escapeURL()` function and execute a malicious XSS payload. | |||||
CVE-2019-8116 | 1 Magento | 1 Magento | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can leverage a guest session id value following a successful login to gain access to customer account index page. | |||||
CVE-2019-8119 | 1 Magento | 1 Magento | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated admin user with import product privileges can delete files through bulk product import and inject code into XSLT file. The combination of these manipulations can lead to remote code execution. | |||||
CVE-2019-8128 | 1 Magento | 1 Magento | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting malicious Javascript into the name of main website. | |||||
CVE-2019-8113 | 1 Magento | 1 Magento | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 uses cryptographically weak random number generator to brute-force the confirmation code for customer registration. | |||||
CVE-2019-8132 | 1 Magento | 1 Magento | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft malicious payload in the template Name field for Email template in the "Design Configuration" dashboard. | |||||
CVE-2019-8233 | 1 Magento | 1 Magento | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
In Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an unauthenticated user can inject arbitrary JavaScript code as a result of the sanitization engine ignoring HTML comments. | |||||
CVE-2019-8158 | 1 Magento | 1 Magento | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
An XPath entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An attacker can craft a GET request to page cache block rendering module that gets passed to XML data processing engine without validation. The crafted key/value GET request data allows an attacker to limited access to underlying XML data. | |||||
CVE-2019-8111 | 1 Magento | 1 Magento | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage plugin functionality related to email templates to manipulate the interceptor class in a way that allows an attacker to execute arbitrary code. | |||||
CVE-2019-8230 | 1 Magento | 1 Magento | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
In Magentoprior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit configuration settings can execute arbitrary code through a crafted support/output path. | |||||
CVE-2020-3717 | 1 Magento | 1 Magento | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a path traversal vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
CVE-2019-8141 | 1 Magento | 1 Magento | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with administrative privileges (system level import) can execute arbitrary code through a Phar deserialization vulnerability in the import functionality. | |||||
CVE-2019-8143 | 1 Magento | 1 Magento | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to email templates can send malicious SQL queries and obtain access to sensitive information stored in the database. | |||||
CVE-2019-8135 | 1 Magento | 1 Magento | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Dependency injection through Symphony framework allows service identifiers to be derived from user controlled data, which can lead to remote code execution. | |||||
CVE-2019-8130 | 1 Magento | 1 Magento | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with store manipulation privileges can execute arbitrary SQL queries by getting access to the database connection through group instance in email templates. | |||||
CVE-2015-6497 | 2 Magento, Php | 2 Magento, Php | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
The create function in app/code/core/Mage/Catalog/Model/Product/Api/V2.php in Magento Community Edition (CE) before 1.9.2.1 and Enterprise Edition (EE) before 1.14.2.1, when used with PHP before 5.4.24 or 5.5.8, allows remote authenticated users to execute arbitrary PHP code via the productData parameter to index.php/api/v2_soap. | |||||
CVE-2019-8137 | 1 Magento | 1 Magento | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate CMS section of the website can trigger remote code execution via custom layout update. | |||||
CVE-2014-1634 | 1 Magento | 1 Advanced Newsletter | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
SQL Injection exists in Advanced Newsletter Magento extension before 2.3.5 via the /store/advancednewsletter/index/subscribeajax/an_category_id/ PATH_INFO. | |||||
CVE-2019-8146 | 1 Magento | 1 Magento | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code when adding a new customer attribute for stores. | |||||
CVE-2019-8127 | 1 Magento | 1 Magento | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to an account with Newsletter Template editing permission could exfiltrate the Admin login data, and reset their password, effectively performing a privilege escalation. |