Filtered by vendor Magento
Subscriptions
Filtered by product Magento
Subscriptions
Total
222 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-7898 | 1 Magento | 1 Magento | 2024-08-04 | N/A |
| Samples of disabled downloadable products are accessible in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to inadequate validation of user input. | ||||
| CVE-2019-7877 | 1 Magento | 1 Magento | 2024-08-04 | N/A |
| A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manage orders can inject malicious javascript. | ||||
| CVE-2019-7859 | 1 Magento | 1 Magento | 2024-08-04 | N/A |
| A path traversal vulnerability in the WYSIWYG editor for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could result in unauthorized access to uploaded images due to insufficient access control. | ||||
| CVE-2019-7895 | 1 Magento | 1 Magento | 2024-08-04 | N/A |
| A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to layouts can execute arbitrary code through a crafted XML layout update. | ||||
| CVE-2019-7876 | 1 Magento | 1 Magento | 2024-08-04 | N/A |
| A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manipulate layouts can insert a malicious payload into the layout. | ||||
| CVE-2019-7869 | 1 Magento | 1 Magento | 2024-08-04 | N/A |
| A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with permissions to manage customer groups. | ||||
| CVE-2019-7871 | 1 Magento | 1 Magento | 2024-08-04 | N/A |
| A security bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 that could be abused to execute arbitrary PHP code. An authenticated user can bypass security protections that prevent arbitrary PHP script upload via form data injection. | ||||
| CVE-2019-7865 | 1 Magento | 1 Magento | 2024-08-04 | N/A |
| A cross-site request forgery (CSRF) vulnerability exists in the checkout cart item of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited at the time of editing or configuration. | ||||
| CVE-2019-7849 | 1 Magento | 1 Magento | 2024-08-04 | N/A |
| A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules. This impacts Magento 1.x prior to 1.9.4.2, Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to 2.3.2. | ||||
| CVE-2019-7851 | 1 Magento | 1 Magento | 2024-08-04 | N/A |
| A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unintended data deletion from customer pages. | ||||
| CVE-2019-7139 | 1 Magento | 1 Magento | 2024-08-04 | N/A |
| An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage. This issue is fixed in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | ||||
| CVE-2020-15151 | 2 Magento, Openmage | 2 Magento, Openmage Long Term Support | 2024-08-04 | 8 High |
| OpenMage LTS before versions 19.4.6 and 20.0.2 allows attackers to circumvent the `fromkey protection` in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks. This issue is related to Adobe's CVE-2020-9690. It is patched in versions 19.4.6 and 20.0.2. | ||||
| CVE-2020-9689 | 1 Magento | 1 Magento | 2024-08-04 | 6.5 Medium |
| Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a path traversal vulnerability. Successful exploitation could lead to arbitrary code execution. | ||||
| CVE-2020-9665 | 1 Magento | 1 Magento | 2024-08-04 | 6.1 Medium |
| Magento versions 1.14.4.5 and earlier, and 1.9.4.5 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | ||||
| CVE-2020-9692 | 1 Magento | 1 Magento | 2024-08-04 | 6.5 Medium |
| Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution. | ||||
| CVE-2020-9630 | 1 Magento | 1 Magento | 2024-08-04 | 9.8 Critical |
| Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a business logic error vulnerability. Successful exploitation could lead to privilege escalation. | ||||
| CVE-2020-9691 | 1 Magento | 1 Magento | 2024-08-04 | 9.6 Critical |
| Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a dom-based cross-site scripting vulnerability. Successful exploitation could lead to arbitrary code execution. | ||||
| CVE-2020-9664 | 1 Magento | 1 Magento | 2024-08-04 | 9.8 Critical |
| Magento versions 1.14.4.5 and earlier, and 1.9.4.5 and earlier have a php object injection vulnerability. Successful exploitation could lead to arbitrary code execution. | ||||
| CVE-2020-9690 | 1 Magento | 1 Magento | 2024-08-04 | 4.2 Medium |
| Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass. | ||||
| CVE-2020-9632 | 1 Magento | 1 Magento | 2024-08-04 | 9.8 Critical |
| Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution. | ||||