Filtered by vendor Magento
Subscriptions
Total
225 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-8133 | 1 Magento | 1 Magento | 2024-08-04 | 6.5 Medium |
| A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with privileges to generate sitemaps can bypass configuration that restricts directory access. The bypass allows overwrite of a subset of configuration files which can lead to denial of service. | ||||
| CVE-2019-8112 | 1 Magento | 1 Magento | 2024-08-04 | 7.5 High |
| A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can bypass the email confirmation mechanism via GET request that captures relevant account data obtained from the POST response related to new user creation. | ||||
| CVE-2019-8129 | 1 Magento | 1 Magento | 2024-08-04 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting an embedded expression into a translation. | ||||
| CVE-2019-8109 | 1 Magento | 1 Magento | 2024-08-04 | 8.0 High |
| A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft a malicious CSRF payload that can result in arbitrary command execution. | ||||
| CVE-2019-8138 | 1 Magento | 1 Magento | 2024-08-04 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can execute arbitrary JavaScript code by providing arbitrary API endpoint that will not be chcecked by sale pickup event. | ||||
| CVE-2019-8091 | 1 Magento | 1 Magento | 2024-08-04 | 7.2 High |
| A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3. An authenticated admin user with privileges to access product attributes can leverage layout updates to trigger remote code execution. | ||||
| CVE-2019-8127 | 1 Magento | 1 Magento | 2024-08-04 | 8.8 High |
| A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to an account with Newsletter Template editing permission could exfiltrate the Admin login data, and reset their password, effectively performing a privilege escalation. | ||||
| CVE-2019-8123 | 1 Magento | 1 Magento | 2024-08-04 | 5.3 Medium |
| An insufficient logging and monitoring vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. The logging feature required for effective monitoring did not contain sufficent data to effectively track configuration changes. | ||||
| CVE-2019-8114 | 1 Magento | 1 Magento | 2024-08-04 | 7.2 High |
| A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to import features can execute arbitrary code via crafted configuration archive file upload. | ||||
| CVE-2019-8120 | 1 Magento | 1 Magento | 2024-08-04 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user can inject arbitrary Javascript code by manipulating section of a POST request related to customer's email address. | ||||
| CVE-2019-8115 | 1 Magento | 1 Magento | 2024-08-04 | 4.8 Medium |
| A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when adding an image for during simple product creation. | ||||
| CVE-2019-8121 | 1 Magento | 1 Magento | 2024-08-04 | 9.8 Critical |
| An insecure component vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Magento 2 codebase leveraged outdated versions of JS libraries (Bootstrap, jquery, Knockout) with known security vulnerabilities. | ||||
| CVE-2019-8093 | 1 Magento | 1 Magento | 2024-08-04 | 8.8 High |
| An arbitrary file access vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage file upload controller for downloadable products to read/delete an arbitary files. | ||||
| CVE-2019-8125 | 1 Magento | 1 Magento | 2024-08-04 | 7.2 High |
| A remote code execution vulnerability exists in Magento 1 prior to 1.9.x and 1.14.x. An authenticated admin user can modify configuration parameters via crafted support configuration. The modification can lead to remote code execution. | ||||
| CVE-2019-8111 | 1 Magento | 1 Magento | 2024-08-04 | 8.8 High |
| A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage plugin functionality related to email templates to manipulate the interceptor class in a way that allows an attacker to execute arbitrary code. | ||||
| CVE-2019-8107 | 1 Magento | 1 Magento | 2024-08-04 | 6.5 Medium |
| An arbitrary file deletion vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with export data transfer privileges can craft a request to perform arbitrary file deletion. | ||||
| CVE-2019-8110 | 1 Magento | 1 Magento | 2024-08-04 | 8.8 High |
| A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage email templates hierarchy to manipulate the interceptor class in a way that allows an attacker to execute arbitrary code. | ||||
| CVE-2019-8117 | 1 Magento | 1 Magento | 2024-08-04 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticates user can inject arbitrary JavaScript code via product view id specification. | ||||
| CVE-2019-8090 | 1 Magento | 1 Magento | 2024-08-04 | 6.5 Medium |
| An arbitrary file deletion vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated users can manipulate the design layout update feature. | ||||
| CVE-2019-8116 | 1 Magento | 1 Magento | 2024-08-04 | 7.5 High |
| Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can leverage a guest session id value following a successful login to gain access to customer account index page. | ||||