Filtered by vendor Magento
Subscriptions
Total
225 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2019-8227 | 1 Magento | 1 Magento | 2024-08-04 | 4.8 Medium |
In Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code via import / export functionality when creating profile action XML. | ||||
CVE-2019-8228 | 1 Magento | 1 Magento | 2024-08-04 | 4.8 Medium |
in Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code into transactional email page when creating a new email template or editing existing email template. | ||||
CVE-2019-8233 | 1 Magento | 1 Magento | 2024-08-04 | 6.1 Medium |
In Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an unauthenticated user can inject arbitrary JavaScript code as a result of the sanitization engine ignoring HTML comments. | ||||
CVE-2019-8230 | 1 Magento | 1 Magento | 2024-08-04 | 7.2 High |
In Magentoprior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit configuration settings can execute arbitrary code through a crafted support/output path. | ||||
CVE-2019-8157 | 1 Magento | 1 Magento | 2024-08-04 | 5.4 Medium |
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate downloadable link and cause an invocation of error handling that acceses user input without sanitization. | ||||
CVE-2019-8231 | 1 Magento | 1 Magento | 2024-08-04 | 7.2 High |
In Magento to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification. | ||||
CVE-2019-8158 | 1 Magento | 1 Magento | 2024-08-04 | 9.8 Critical |
An XPath entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An attacker can craft a GET request to page cache block rendering module that gets passed to XML data processing engine without validation. The crafted key/value GET request data allows an attacker to limited access to underlying XML data. | ||||
CVE-2019-8155 | 1 Magento | 1 Magento | 2024-08-04 | 7.5 High |
Magento prior to 1.9.4.3 and prior to 1.14.4.3 included a user's CSRF token in the URL of a GET request. This could be exploited by an attacker with access to network traffic to perform unauthorized actions. | ||||
CVE-2019-8156 | 1 Magento | 1 Magento | 2024-08-04 | 7.2 High |
A server-side request forgery (SSRF) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to modify store configurations can manipulate the connector api endpoint to enable remote code execution. | ||||
CVE-2019-8159 | 1 Magento | 1 Magento | 2024-08-04 | 8.8 High |
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with system data manipulation privileges can execute aribitrary code through arbitrary file deletion and OS command injection. | ||||
CVE-2019-8153 | 1 Magento | 1 Magento | 2024-08-04 | 6.1 Medium |
A mitigation bypass to prevent cross-site scripting (XSS) exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Successful exploitation of this vulnerability would result in an attacker being able to bypass the `escapeURL()` function and execute a malicious XSS payload. | ||||
CVE-2019-8128 | 1 Magento | 1 Magento | 2024-08-04 | 5.4 Medium |
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting malicious Javascript into the name of main website. | ||||
CVE-2019-8152 | 1 Magento | 1 Magento | 2024-08-04 | 5.4 Medium |
A stored cross-site scripting (XSS) vulnerability exists in in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to the wysiwyg editor can abuse the blockDirective() function and inject malicious javascript in the cache of the admin dashboard. | ||||
CVE-2019-8144 | 1 Magento | 1 Magento | 2024-08-04 | 9.8 Critical |
A remote code execution vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can insert a malicious payload through PageBuilder template methods. | ||||
CVE-2019-8150 | 1 Magento | 1 Magento | 2024-08-04 | 8.8 High |
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate layouts and images can insert a malicious payload into the page layout. | ||||
CVE-2019-8149 | 1 Magento | 1 Magento | 2024-08-04 | 9.8 Critical |
Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can append arbitrary session id that will not be invalidated by subsequent authentication. | ||||
CVE-2019-8151 | 1 Magento | 1 Magento | 2024-08-04 | 7.2 High |
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to manipulate shippment settings can execute arbitrary code through server-side request forgery due to unsafe handling of a carrier gateway. | ||||
CVE-2019-8113 | 1 Magento | 1 Magento | 2024-08-04 | 5.3 Medium |
Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 uses cryptographically weak random number generator to brute-force the confirmation code for customer registration. | ||||
CVE-2019-8141 | 1 Magento | 1 Magento | 2024-08-04 | 7.2 High |
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with administrative privileges (system level import) can execute arbitrary code through a Phar deserialization vulnerability in the import functionality. | ||||
CVE-2019-8145 | 1 Magento | 1 Magento | 2024-08-04 | 5.4 Medium |
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into the attribute set name when listing the products. |