Total
222 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-8155 | 1 Magento | 1 Magento | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Magento prior to 1.9.4.3 and prior to 1.14.4.3 included a user's CSRF token in the URL of a GET request. This could be exploited by an attacker with access to network traffic to perform unauthorized actions. | |||||
CVE-2019-8110 | 1 Magento | 1 Magento | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage email templates hierarchy to manipulate the interceptor class in a way that allows an attacker to execute arbitrary code. | |||||
CVE-2019-8232 | 1 Magento | 1 Magento | 2024-02-28 | 6.0 MEDIUM | 6.6 MEDIUM |
In Magento prior to 1.9.4.3, Magento prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, and Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an authenticated user with administrative privileges for the import feature can execute arbitrary code through a race condition that allows webserver configuration file modification. | |||||
CVE-2019-8124 | 1 Magento | 1 Magento | 2024-02-28 | 4.0 MEDIUM | 4.9 MEDIUM |
An insufficient logging and monitoring vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Failure to track admin actions related to design configuration could lead to repudiation attacks. | |||||
CVE-2019-8092 | 1 Magento | 1 Magento | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via email template preview. | |||||
CVE-2019-8156 | 1 Magento | 1 Magento | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
A server-side request forgery (SSRF) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to modify store configurations can manipulate the connector api endpoint to enable remote code execution. | |||||
CVE-2019-8120 | 1 Magento | 1 Magento | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user can inject arbitrary Javascript code by manipulating section of a POST request related to customer's email address. | |||||
CVE-2019-8231 | 1 Magento | 1 Magento | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
In Magento to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification. | |||||
CVE-2019-8140 | 1 Magento | 1 Magento | 2024-02-28 | 4.0 MEDIUM | 4.9 MEDIUM |
An unrestricted file upload vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can manipulate the Synchronization feature in the Media File Storage of the database to transform uploaded JPEG file into a PHP file. | |||||
CVE-2019-8121 | 1 Magento | 1 Magento | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
An insecure component vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Magento 2 codebase leveraged outdated versions of JS libraries (Bootstrap, jquery, Knockout) with known security vulnerabilities. | |||||
CVE-2019-8108 | 1 Magento | 1 Magento | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate session validation setting for a storefront that leads to insecure authentication and session management. | |||||
CVE-2019-8157 | 1 Magento | 1 Magento | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate downloadable link and cause an invocation of error handling that acceses user input without sanitization. | |||||
CVE-2019-8125 | 1 Magento | 1 Magento | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
A remote code execution vulnerability exists in Magento 1 prior to 1.9.x and 1.14.x. An authenticated admin user can modify configuration parameters via crafted support configuration. The modification can lead to remote code execution. | |||||
CVE-2019-8154 | 1 Magento | 1 Magento | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to modify product catalogs can trigger PHP file inclusion through a crafted XML file that specifies product design update. | |||||
CVE-2019-8129 | 1 Magento | 1 Magento | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting an embedded expression into a translation. | |||||
CVE-2019-8147 | 1 Magento | 1 Magento | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via customer attribute label. | |||||
CVE-2020-3715 | 1 Magento | 1 Magento | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
CVE-2019-8151 | 1 Magento | 1 Magento | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to manipulate shippment settings can execute arbitrary code through server-side request forgery due to unsafe handling of a carrier gateway. | |||||
CVE-2019-8112 | 1 Magento | 1 Magento | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can bypass the email confirmation mechanism via GET request that captures relevant account data obtained from the POST response related to new user creation. | |||||
CVE-2019-7871 | 1 Magento | 1 Magento | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
A security bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 that could be abused to execute arbitrary PHP code. An authenticated user can bypass security protections that prevent arbitrary PHP script upload via form data injection. |