Total
222 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-3758 | 1 Magento | 1 Magento | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2020-3718 | 1 Magento | 1 Magento | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a security bypass vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2019-8142 | 1 Magento | 1 Magento | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via title of an order when configuring sales payment methods for a store. | |||||
| CVE-2019-8090 | 1 Magento | 1 Magento | 2024-02-28 | 5.5 MEDIUM | 6.5 MEDIUM |
| An arbitrary file deletion vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated users can manipulate the design layout update feature. | |||||
| CVE-2019-8126 | 1 Magento | 1 Magento | 2024-02-28 | 4.0 MEDIUM | 4.9 MEDIUM |
| An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure. | |||||
| CVE-2019-8133 | 1 Magento | 1 Magento | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with privileges to generate sitemaps can bypass configuration that restricts directory access. The bypass allows overwrite of a subset of configuration files which can lead to denial of service. | |||||
| CVE-2019-8122 | 1 Magento | 1 Magento | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with privileges to create products can craft custom layout update and use import product functionality to enable remote code execution. | |||||
| CVE-2020-3716 | 1 Magento | 1 Magento | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2019-8115 | 1 Magento | 1 Magento | 2024-02-28 | 3.5 LOW | 4.8 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when adding an image for during simple product creation. | |||||
| CVE-2019-8093 | 1 Magento | 1 Magento | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| An arbitrary file access vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage file upload controller for downloadable products to read/delete an arbitary files. | |||||
| CVE-2019-8091 | 1 Magento | 1 Magento | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
| A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3. An authenticated admin user with privileges to access product attributes can leverage layout updates to trigger remote code execution. | |||||
| CVE-2019-8107 | 1 Magento | 1 Magento | 2024-02-28 | 5.5 MEDIUM | 6.5 MEDIUM |
| An arbitrary file deletion vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with export data transfer privileges can craft a request to perform arbitrary file deletion. | |||||
| CVE-2019-8139 | 1 Magento | 1 Magento | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary Javascript code into the dynamic block when invoking page builder on a product. | |||||
| CVE-2019-8229 | 1 Magento | 1 Magento | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
| In Magento prior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit product attributes can execute arbitrary code through crafted layout updates. | |||||
| CVE-2019-8109 | 1 Magento | 1 Magento | 2024-02-28 | 6.0 MEDIUM | 8.0 HIGH |
| A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft a malicious CSRF payload that can result in arbitrary command execution. | |||||
| CVE-2019-8152 | 1 Magento | 1 Magento | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to the wysiwyg editor can abuse the blockDirective() function and inject malicious javascript in the cache of the admin dashboard. | |||||
| CVE-2019-8136 | 1 Magento | 1 Magento | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| An insecure component vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Magento 2 codebase leveraged outdated versions of HTTP specification abstraction implemented in symphony component. | |||||
| CVE-2019-8144 | 1 Magento | 1 Magento | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can insert a malicious payload through PageBuilder template methods. | |||||
| CVE-2019-8118 | 1 Magento | 1 Magento | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 uses weak cryptographic function to store the failed login attempts for customer accounts. | |||||
| CVE-2019-8149 | 1 Magento | 1 Magento | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can append arbitrary session id that will not be invalidated by subsequent authentication. | |||||