CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Magento : Security Vulnerabilities Published In 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-8235 639 2019-10-30 2020-08-24
4.0
None Remote Low ??? Partial None None
An insecure direct object reference (IDOR) vulnerability exists in Magento 2.3 prior to 2.3.1, 2.2 prior to 2.2.8, and 2.1 prior to 2.1.17 versions. An authenticated user may be able to view personally identifiable shipping details of another user due to insufficient validation of user controlled input.
2 CVE-2019-8233 79 XSS 2019-11-06 2019-11-08
4.3
None Remote Medium Not required None Partial None
In Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an unauthenticated user can inject arbitrary JavaScript code as a result of the sanitization engine ignoring HTML comments.
3 CVE-2019-8232 362 Exec Code 2019-11-06 2020-08-24
6.0
None Remote Medium ??? Partial Partial Partial
In Magento prior to 1.9.4.3, Magento prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, and Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an authenticated user with administrative privileges for the import feature can execute arbitrary code through a race condition that allows webserver configuration file modification.
4 CVE-2019-8231 Exec Code 2019-11-06 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
In Magento to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification.
5 CVE-2019-8230 Exec Code 2019-11-06 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
In Magentoprior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit configuration settings can execute arbitrary code through a crafted support/output path.
6 CVE-2019-8229 Exec Code 2019-11-06 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
In Magento prior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit product attributes can execute arbitrary code through crafted layout updates.
7 CVE-2019-8228 79 XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
in Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code into transactional email page when creating a new email template or editing existing email template.
8 CVE-2019-8227 79 XSS 2019-11-06 2019-11-08
3.5
None Remote Medium ??? None Partial None
In Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code via import / export functionality when creating profile action XML.
9 CVE-2019-8159 78 Exec Code 2019-11-06 2019-11-07
9.0
None Remote Low ??? Complete Complete Complete
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with system data manipulation privileges can execute aribitrary code through arbitrary file deletion and OS command injection.
10 CVE-2019-8158 91 2019-11-06 2019-11-08
7.5
None Remote Low Not required Partial Partial Partial
An XPath entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An attacker can craft a GET request to page cache block rendering module that gets passed to XML data processing engine without validation. The crafted key/value GET request data allows an attacker to limited access to underlying XML data.
11 CVE-2019-8157 79 XSS 2019-11-06 2019-11-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate downloadable link and cause an invocation of error handling that acceses user input without sanitization.
12 CVE-2019-8156 918 Exec Code 2019-11-06 2019-11-08
6.5
None Remote Low ??? Partial Partial Partial
A server-side request forgery (SSRF) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to modify store configurations can manipulate the connector api endpoint to enable remote code execution.
13 CVE-2019-8155 352 CSRF 2019-11-06 2020-08-24
5.0
None Remote Low Not required Partial None None
Magento prior to 1.9.4.3 and prior to 1.14.4.3 included a user's CSRF token in the URL of a GET request. This could be exploited by an attacker with access to network traffic to perform unauthorized actions.
14 CVE-2019-8154 829 Exec Code File Inclusion 2019-11-06 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to modify product catalogs can trigger PHP file inclusion through a crafted XML file that specifies product design update.
15 CVE-2019-8153 79 XSS Bypass 2019-11-06 2019-11-07
4.3
None Remote Medium Not required None Partial None
A mitigation bypass to prevent cross-site scripting (XSS) exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Successful exploitation of this vulnerability would result in an attacker being able to bypass the `escapeURL()` function and execute a malicious XSS payload.
16 CVE-2019-8152 79 XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to the wysiwyg editor can abuse the blockDirective() function and inject malicious javascript in the cache of the admin dashboard.
17 CVE-2019-8151 918 Exec Code 2019-11-06 2019-11-07
6.5
None Remote Low ??? Partial Partial Partial
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to manipulate shippment settings can execute arbitrary code through server-side request forgery due to unsafe handling of a carrier gateway.
18 CVE-2019-8150 Exec Code 2019-11-06 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate layouts and images can insert a malicious payload into the page layout.
19 CVE-2019-8149 613 2019-11-06 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can append arbitrary session id that will not be invalidated by subsequent authentication.
20 CVE-2019-8148 79 XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when creating a content page via page builder.
21 CVE-2019-8147 79 XSS 2019-11-06 2019-11-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via customer attribute label.
22 CVE-2019-8146 79 XSS 2019-11-06 2019-11-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code when adding a new customer attribute for stores.
23 CVE-2019-8145 79 XSS 2019-11-06 2019-11-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into the attribute set name when listing the products.
24 CVE-2019-8144 Exec Code 2019-11-06 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
A remote code execution vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can insert a malicious payload through PageBuilder template methods.
25 CVE-2019-8143 89 Sql +Info 2019-11-06 2019-11-06
4.0
None Remote Low ??? Partial None None
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to email templates can send malicious SQL queries and obtain access to sensitive information stored in the database.
26 CVE-2019-8142 79 XSS 2019-11-06 2019-11-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via title of an order when configuring sales payment methods for a store.
27 CVE-2019-8141 502 Exec Code 2019-11-06 2019-11-07
6.5
None Remote Low ??? Partial Partial Partial
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with administrative privileges (system level import) can execute arbitrary code through a Phar deserialization vulnerability in the import functionality.
28 CVE-2019-8140 434 2019-11-06 2019-11-07
4.0
None Remote Low ??? None Partial None
An unrestricted file upload vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can manipulate the Synchronization feature in the Media File Storage of the database to transform uploaded JPEG file into a PHP file.
29 CVE-2019-8139 79 XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary Javascript code into the dynamic block when invoking page builder on a product.
30 CVE-2019-8138 79 Exec Code XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can execute arbitrary JavaScript code by providing arbitrary API endpoint that will not be chcecked by sale pickup event.
31 CVE-2019-8137 Exec Code 2019-11-06 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate CMS section of the website can trigger remote code execution via custom layout update.
32 CVE-2019-8136 2019-11-06 2019-11-08
7.5
None Remote Low Not required Partial Partial Partial
An insecure component vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Magento 2 codebase leveraged outdated versions of HTTP specification abstraction implemented in symphony component.
33 CVE-2019-8135 74 Exec Code 2019-11-06 2019-11-07
7.5
None Remote Low Not required Partial Partial Partial
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Dependency injection through Symphony framework allows service identifiers to be derived from user controlled data, which can lead to remote code execution.
34 CVE-2019-8134 89 Sql 2019-11-06 2019-11-07
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with marketing privileges can execute arbitrary SQL queries in the database when accessing email template variables.
35 CVE-2019-8133 DoS Bypass 2019-11-06 2020-08-24
4.0
None Remote Low ??? None None Partial
A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with privileges to generate sitemaps can bypass configuration that restricts directory access. The bypass allows overwrite of a subset of configuration files which can lead to denial of service.
36 CVE-2019-8132 79 XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft malicious payload in the template Name field for Email template in the "Design Configuration" dashboard.
37 CVE-2019-8131 79 XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into code field of an inventory source.
38 CVE-2019-8130 89 Sql 2019-11-06 2019-11-07
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with store manipulation privileges can execute arbitrary SQL queries by getting access to the database connection through group instance in email templates.
39 CVE-2019-8129 79 XSS 2019-11-06 2019-11-07
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting an embedded expression into a translation.
40 CVE-2019-8128 79 XSS 2019-11-06 2019-11-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting malicious Javascript into the name of main website.
41 CVE-2019-8127 89 Sql 2019-11-05 2019-11-07
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to an account with Newsletter Template editing permission could exfiltrate the Admin login data, and reset their password, effectively performing a privilege escalation.
42 CVE-2019-8126 776 2019-11-05 2019-11-08
4.0
None Remote Low ??? Partial None None
An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure.
43 CVE-2019-8125 Exec Code 2019-11-05 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
A remote code execution vulnerability exists in Magento 1 prior to 1.9.x and 1.14.x. An authenticated admin user can modify configuration parameters via crafted support configuration. The modification can lead to remote code execution.
44 CVE-2019-8124 345 2019-11-05 2021-03-16
4.0
None Remote Low ??? None Partial None
An insufficient logging and monitoring vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Failure to track admin actions related to design configuration could lead to repudiation attacks.
45 CVE-2019-8123 2019-11-05 2020-08-24
5.0
None Remote Low Not required None Partial None
An insufficient logging and monitoring vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. The logging feature required for effective monitoring did not contain sufficent data to effectively track configuration changes.
46 CVE-2019-8122 Exec Code 2019-11-05 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with privileges to create products can craft custom layout update and use import product functionality to enable remote code execution.
47 CVE-2019-8121 2019-11-05 2019-11-07
7.5
None Remote Low Not required Partial Partial Partial
An insecure component vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Magento 2 codebase leveraged outdated versions of JS libraries (Bootstrap, jquery, Knockout) with known security vulnerabilities.
48 CVE-2019-8120 79 XSS 2019-11-05 2019-11-06
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user can inject arbitrary Javascript code by manipulating section of a POST request related to customer's email address.
49 CVE-2019-8119 Exec Code 2019-11-05 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated admin user with import product privileges can delete files through bulk product import and inject code into XSLT file. The combination of these manipulations can lead to remote code execution.
50 CVE-2019-8118 312 2019-11-05 2019-11-08
5.0
None Remote Low Not required Partial None None
Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 uses weak cryptographic function to store the failed login attempts for customer accounts.
Total number of vulnerabilities : 137   Page : 1 (This Page)2 3
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.