Filtered by vendor Magento
Subscriptions
Total
225 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-8108 | 1 Magento | 1 Magento | 2024-08-04 | 6.5 Medium |
| Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate session validation setting for a storefront that leads to insecure authentication and session management. | ||||
| CVE-2019-8122 | 1 Magento | 1 Magento | 2024-08-04 | 8.8 High |
| A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with privileges to create products can craft custom layout update and use import product functionality to enable remote code execution. | ||||
| CVE-2019-8130 | 1 Magento | 1 Magento | 2024-08-04 | 8.8 High |
| A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with store manipulation privileges can execute arbitrary SQL queries by getting access to the database connection through group instance in email templates. | ||||
| CVE-2019-8140 | 1 Magento | 1 Magento | 2024-08-04 | 4.9 Medium |
| An unrestricted file upload vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can manipulate the Synchronization feature in the Media File Storage of the database to transform uploaded JPEG file into a PHP file. | ||||
| CVE-2019-8131 | 1 Magento | 1 Magento | 2024-08-04 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into code field of an inventory source. | ||||
| CVE-2019-8142 | 1 Magento | 1 Magento | 2024-08-04 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via title of an order when configuring sales payment methods for a store. | ||||
| CVE-2019-8147 | 1 Magento | 1 Magento | 2024-08-04 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via customer attribute label. | ||||
| CVE-2019-8134 | 1 Magento | 1 Magento | 2024-08-04 | 8.8 High |
| A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with marketing privileges can execute arbitrary SQL queries in the database when accessing email template variables. | ||||
| CVE-2019-8119 | 1 Magento | 1 Magento | 2024-08-04 | 7.2 High |
| A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated admin user with import product privileges can delete files through bulk product import and inject code into XSLT file. The combination of these manipulations can lead to remote code execution. | ||||
| CVE-2019-8135 | 1 Magento | 1 Magento | 2024-08-04 | 9.8 Critical |
| A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Dependency injection through Symphony framework allows service identifiers to be derived from user controlled data, which can lead to remote code execution. | ||||
| CVE-2019-8137 | 1 Magento | 1 Magento | 2024-08-04 | 8.8 High |
| A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate CMS section of the website can trigger remote code execution via custom layout update. | ||||
| CVE-2019-8146 | 1 Magento | 1 Magento | 2024-08-04 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code when adding a new customer attribute for stores. | ||||
| CVE-2019-8148 | 1 Magento | 1 Magento | 2024-08-04 | 4.8 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when creating a content page via page builder. | ||||
| CVE-2019-8124 | 1 Magento | 1 Magento | 2024-08-04 | 4.9 Medium |
| An insufficient logging and monitoring vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Failure to track admin actions related to design configuration could lead to repudiation attacks. | ||||
| CVE-2019-8126 | 1 Magento | 1 Magento | 2024-08-04 | 4.9 Medium |
| An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure. | ||||
| CVE-2019-8132 | 1 Magento | 1 Magento | 2024-08-04 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft malicious payload in the template Name field for Email template in the "Design Configuration" dashboard. | ||||
| CVE-2019-8154 | 1 Magento | 1 Magento | 2024-08-04 | 8.8 High |
| A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to modify product catalogs can trigger PHP file inclusion through a crafted XML file that specifies product design update. | ||||
| CVE-2019-8136 | 1 Magento | 1 Magento | 2024-08-04 | 9.8 Critical |
| An insecure component vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Magento 2 codebase leveraged outdated versions of HTTP specification abstraction implemented in symphony component. | ||||
| CVE-2019-8139 | 1 Magento | 1 Magento | 2024-08-04 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary Javascript code into the dynamic block when invoking page builder on a product. | ||||
| CVE-2019-8133 | 1 Magento | 1 Magento | 2024-08-04 | 6.5 Medium |
| A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with privileges to generate sitemaps can bypass configuration that restricts directory access. The bypass allows overwrite of a subset of configuration files which can lead to denial of service. | ||||