Vulnerabilites related to Adobe Systems Incorporated - Magento 2
cve-2019-8115
Vulnerability from cvelistv5
Published
2019-11-05 22:26
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when adding an image for during simple product creation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.612Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when adding an image for during simple product creation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T22:26:02",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8115",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when adding an image for during simple product creation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8115",
"datePublished": "2019-11-05T22:26:02",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8131
Vulnerability from cvelistv5
Published
2019-11-05 23:07
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into code field of an inventory source.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.992Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into code field of an inventory source."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:07:16",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8131",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into code field of an inventory source."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8131",
"datePublished": "2019-11-05T23:07:16",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.992Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8111
Vulnerability from cvelistv5
Published
2019-11-05 22:18
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage plugin functionality related to email templates to manipulate the interceptor class in a way that allows an attacker to execute arbitrary code.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.552Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage plugin functionality related to email templates to manipulate the interceptor class in a way that allows an attacker to execute arbitrary code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T22:18:41",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8111",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage plugin functionality related to email templates to manipulate the interceptor class in a way that allows an attacker to execute arbitrary code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8111",
"datePublished": "2019-11-05T22:18:41",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8090
Vulnerability from cvelistv5
Published
2019-11-05 21:53
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
An arbitrary file deletion vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated users can manipulate the design layout update feature.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.544Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An arbitrary file deletion vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated users can manipulate the design layout update feature."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Arbitrary File Deletion",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T21:53:32",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8090",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p2"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An arbitrary file deletion vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated users can manipulate the design layout update feature."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Arbitrary File Deletion"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8090",
"datePublished": "2019-11-05T21:53:32",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.544Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8122
Vulnerability from cvelistv5
Published
2019-11-05 22:50
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with privileges to create products can craft custom layout update and use import product functionality to enable remote code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:33.000Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with privileges to create products can craft custom layout update and use import product functionality to enable remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T22:50:42",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8122",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p2"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with privileges to create products can craft custom layout update and use import product functionality to enable remote code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8122",
"datePublished": "2019-11-05T22:50:42",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:33.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8116
Vulnerability from cvelistv5
Published
2019-11-05 22:44
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can leverage a guest session id value following a successful login to gain access to customer account index page.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.539Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can leverage a guest session id value following a successful login to gain access to customer account index page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Inadequate Session Handling",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T22:44:46",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8116",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can leverage a guest session id value following a successful login to gain access to customer account index page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Inadequate Session Handling"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8116",
"datePublished": "2019-11-05T22:44:46",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8093
Vulnerability from cvelistv5
Published
2019-11-05 22:07
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
An arbitrary file access vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage file upload controller for downloadable products to read/delete an arbitary files.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.605Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An arbitrary file access vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage file upload controller for downloadable products to read/delete an arbitary files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Disclosure of Critically Sensitive Data",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T22:07:36",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8093",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An arbitrary file access vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage file upload controller for downloadable products to read/delete an arbitary files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Disclosure of Critically Sensitive Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8093",
"datePublished": "2019-11-05T22:07:36",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8156
Vulnerability from cvelistv5
Published
2019-11-06 00:01
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A server-side request forgery (SSRF) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to modify store configurations can manipulate the connector api endpoint to enable remote code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:33.446Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A server-side request forgery (SSRF) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to modify store configurations can manipulate the connector api endpoint to enable remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server-side Request Forgery",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-06T00:01:34",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8156",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A server-side request forgery (SSRF) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to modify store configurations can manipulate the connector api endpoint to enable remote code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Server-side Request Forgery"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8156",
"datePublished": "2019-11-06T00:01:34",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:33.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8129
Vulnerability from cvelistv5
Published
2019-11-05 23:04
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting an embedded expression into a translation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.919Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting an embedded expression into a translation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:04:57",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8129",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting an embedded expression into a translation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8129",
"datePublished": "2019-11-05T23:04:57",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8146
Vulnerability from cvelistv5
Published
2019-11-05 23:31
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code when adding a new customer attribute for stores.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.979Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code when adding a new customer attribute for stores."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:31:42",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8146",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code when adding a new customer attribute for stores."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8146",
"datePublished": "2019-11-05T23:31:42",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8141
Vulnerability from cvelistv5
Published
2019-11-05 23:26
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with administrative privileges (system level import) can execute arbitrary code through a Phar deserialization vulnerability in the import functionality.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:33.041Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with administrative privileges (system level import) can execute arbitrary code through a Phar deserialization vulnerability in the import functionality."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:26:49",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8141",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with administrative privileges (system level import) can execute arbitrary code through a Phar deserialization vulnerability in the import functionality."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8141",
"datePublished": "2019-11-05T23:26:49",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:33.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8117
Vulnerability from cvelistv5
Published
2019-11-05 22:46
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticates user can inject arbitrary JavaScript code via product view id specification.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.548Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticates user can inject arbitrary JavaScript code via product view id specification."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T22:46:11",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8117",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticates user can inject arbitrary JavaScript code via product view id specification."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8117",
"datePublished": "2019-11-05T22:46:11",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8128
Vulnerability from cvelistv5
Published
2019-11-05 23:02
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting malicious Javascript into the name of main website.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:33.157Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting malicious Javascript into the name of main website."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:02:01",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8128",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting malicious Javascript into the name of main website."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8128",
"datePublished": "2019-11-05T23:02:01",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:33.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8149
Vulnerability from cvelistv5
Published
2019-11-05 23:35
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can append arbitrary session id that will not be invalidated by subsequent authentication.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:33.053Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can append arbitrary session id that will not be invalidated by subsequent authentication."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Broken Authentication",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:35:11",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8149",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can append arbitrary session id that will not be invalidated by subsequent authentication."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Broken Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8149",
"datePublished": "2019-11-05T23:35:11",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:33.053Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8154
Vulnerability from cvelistv5
Published
2019-11-05 23:50
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to modify product catalogs can trigger PHP file inclusion through a crafted XML file that specifies product design update.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.963Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to modify product catalogs can trigger PHP file inclusion through a crafted XML file that specifies product design update."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:50:16",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8154",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to modify product catalogs can trigger PHP file inclusion through a crafted XML file that specifies product design update."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8154",
"datePublished": "2019-11-05T23:50:16",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8151
Vulnerability from cvelistv5
Published
2019-11-05 23:37
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to manipulate shippment settings can execute arbitrary code through server-side request forgery due to unsafe handling of a carrier gateway.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:33.047Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to manipulate shippment settings can execute arbitrary code through server-side request forgery due to unsafe handling of a carrier gateway."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:37:12",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8151",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to manipulate shippment settings can execute arbitrary code through server-side request forgery due to unsafe handling of a carrier gateway."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8151",
"datePublished": "2019-11-05T23:37:12",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:33.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8124
Vulnerability from cvelistv5
Published
2019-11-05 22:51
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
An insufficient logging and monitoring vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Failure to track admin actions related to design configuration could lead to repudiation attacks.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.973Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An insufficient logging and monitoring vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Failure to track admin actions related to design configuration could lead to repudiation attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient logging and monitoring",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T22:51:02",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8124",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p2"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An insufficient logging and monitoring vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Failure to track admin actions related to design configuration could lead to repudiation attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insufficient logging and monitoring"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8124",
"datePublished": "2019-11-05T22:51:03",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8145
Vulnerability from cvelistv5
Published
2019-11-06 00:04
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into the attribute set name when listing the products.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:33.025Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into the attribute set name when listing the products."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-06T00:04:43",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8145",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into the attribute set name when listing the products."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8145",
"datePublished": "2019-11-06T00:04:43",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:33.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8109
Vulnerability from cvelistv5
Published
2019-11-05 22:15
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft a malicious CSRF payload that can result in arbitrary command execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.915Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft a malicious CSRF payload that can result in arbitrary command execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T22:15:36",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8109",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft a malicious CSRF payload that can result in arbitrary command execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8109",
"datePublished": "2019-11-05T22:15:36",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8147
Vulnerability from cvelistv5
Published
2019-11-05 23:32
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via customer attribute label.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.988Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via customer attribute label."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:32:55",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8147",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via customer attribute label."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8147",
"datePublished": "2019-11-05T23:32:55",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8119
Vulnerability from cvelistv5
Published
2019-11-05 22:49
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated admin user with import product privileges can delete files through bulk product import and inject code into XSLT file. The combination of these manipulations can lead to remote code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.983Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated admin user with import product privileges can delete files through bulk product import and inject code into XSLT file. The combination of these manipulations can lead to remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T22:49:18",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8119",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p2"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated admin user with import product privileges can delete files through bulk product import and inject code into XSLT file. The combination of these manipulations can lead to remote code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8119",
"datePublished": "2019-11-05T22:49:18",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.983Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8157
Vulnerability from cvelistv5
Published
2019-11-06 00:03
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate downloadable link and cause an invocation of error handling that acceses user input without sanitization.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:33.550Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate downloadable link and cause an invocation of error handling that acceses user input without sanitization."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-06T00:03:03",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8157",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate downloadable link and cause an invocation of error handling that acceses user input without sanitization."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8157",
"datePublished": "2019-11-06T00:03:03",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:33.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8144
Vulnerability from cvelistv5
Published
2019-11-05 23:30
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A remote code execution vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can insert a malicious payload through PageBuilder template methods.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:33.102Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A remote code execution vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can insert a malicious payload through PageBuilder template methods."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:30:06",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8144",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A remote code execution vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can insert a malicious payload through PageBuilder template methods."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8144",
"datePublished": "2019-11-05T23:30:06",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:33.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8136
Vulnerability from cvelistv5
Published
2019-11-05 23:18
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
An insecure component vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Magento 2 codebase leveraged outdated versions of HTTP specification abstraction implemented in symphony component.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.954Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An insecure component vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Magento 2 codebase leveraged outdated versions of HTTP specification abstraction implemented in symphony component."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Using components with known vulnerabilities",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:18:38",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8136",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An insecure component vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Magento 2 codebase leveraged outdated versions of HTTP specification abstraction implemented in symphony component."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Using components with known vulnerabilities"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8136",
"datePublished": "2019-11-05T23:18:38",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8107
Vulnerability from cvelistv5
Published
2019-11-05 22:11
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
An arbitrary file deletion vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with export data transfer privileges can craft a request to perform arbitrary file deletion.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.551Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An arbitrary file deletion vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with export data transfer privileges can craft a request to perform arbitrary file deletion."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Arbitrary File Deletion",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T22:11:39",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8107",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An arbitrary file deletion vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with export data transfer privileges can craft a request to perform arbitrary file deletion."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Arbitrary File Deletion"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8107",
"datePublished": "2019-11-05T22:11:39",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8139
Vulnerability from cvelistv5
Published
2019-11-05 23:23
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary Javascript code into the dynamic block when invoking page builder on a product.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.947Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary Javascript code into the dynamic block when invoking page builder on a product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:23:58",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8139",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary Javascript code into the dynamic block when invoking page builder on a product."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8139",
"datePublished": "2019-11-05T23:23:58",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.947Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8143
Vulnerability from cvelistv5
Published
2019-11-05 23:28
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to email templates can send malicious SQL queries and obtain access to sensitive information stored in the database.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.942Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to email templates can send malicious SQL queries and obtain access to sensitive information stored in the database."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:28:45",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8143",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to email templates can send malicious SQL queries and obtain access to sensitive information stored in the database."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8143",
"datePublished": "2019-11-05T23:28:45",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8133
Vulnerability from cvelistv5
Published
2019-11-05 23:09
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with privileges to generate sitemaps can bypass configuration that restricts directory access. The bypass allows overwrite of a subset of configuration files which can lead to denial of service.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.942Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with privileges to generate sitemaps can bypass configuration that restricts directory access. The bypass allows overwrite of a subset of configuration files which can lead to denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Security bypass",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:09:35",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8133",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with privileges to generate sitemaps can bypass configuration that restricts directory access. The bypass allows overwrite of a subset of configuration files which can lead to denial of service."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Security bypass"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8133",
"datePublished": "2019-11-05T23:09:35",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8134
Vulnerability from cvelistv5
Published
2019-11-05 23:15
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with marketing privileges can execute arbitrary SQL queries in the database when accessing email template variables.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with marketing privileges can execute arbitrary SQL queries in the database when accessing email template variables."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:15:02",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8134",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with marketing privileges can execute arbitrary SQL queries in the database when accessing email template variables."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8134",
"datePublished": "2019-11-05T23:15:02",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8150
Vulnerability from cvelistv5
Published
2019-11-05 23:36
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate layouts and images can insert a malicious payload into the page layout.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:33.084Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate layouts and images can insert a malicious payload into the page layout."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:36:10",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8150",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate layouts and images can insert a malicious payload into the page layout."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8150",
"datePublished": "2019-11-05T23:36:10",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:33.084Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8110
Vulnerability from cvelistv5
Published
2019-11-05 22:17
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage email templates hierarchy to manipulate the interceptor class in a way that allows an attacker to execute arbitrary code.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.550Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage email templates hierarchy to manipulate the interceptor class in a way that allows an attacker to execute arbitrary code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T22:17:21",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8110",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage email templates hierarchy to manipulate the interceptor class in a way that allows an attacker to execute arbitrary code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8110",
"datePublished": "2019-11-05T22:17:21",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8113
Vulnerability from cvelistv5
Published
2019-11-05 22:20
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 uses cryptographically weak random number generator to brute-force the confirmation code for customer registration.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:33.042Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 uses cryptographically weak random number generator to brute-force the confirmation code for customer registration."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cryptographic flaw",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T22:20:48",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8113",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 uses cryptographically weak random number generator to brute-force the confirmation code for customer registration."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cryptographic flaw"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8113",
"datePublished": "2019-11-05T22:20:48",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:33.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8140
Vulnerability from cvelistv5
Published
2019-11-05 23:25
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
An unrestricted file upload vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can manipulate the Synchronization feature in the Media File Storage of the database to transform uploaded JPEG file into a PHP file.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.997Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An unrestricted file upload vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can manipulate the Synchronization feature in the Media File Storage of the database to transform uploaded JPEG file into a PHP file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Unrestricted file upload",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:25:01",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8140",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An unrestricted file upload vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can manipulate the Synchronization feature in the Media File Storage of the database to transform uploaded JPEG file into a PHP file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Unrestricted file upload"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8140",
"datePublished": "2019-11-05T23:25:01",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.997Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8132
Vulnerability from cvelistv5
Published
2019-11-06 00:05
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft malicious payload in the template Name field for Email template in the "Design Configuration" dashboard.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.964Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft malicious payload in the template Name field for Email template in the \"Design Configuration\" dashboard."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-06T00:05:24",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8132",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft malicious payload in the template Name field for Email template in the \"Design Configuration\" dashboard."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8132",
"datePublished": "2019-11-06T00:05:24",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8120
Vulnerability from cvelistv5
Published
2019-11-05 22:49
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user can inject arbitrary Javascript code by manipulating section of a POST request related to customer's email address.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.613Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user can inject arbitrary Javascript code by manipulating section of a POST request related to customer\u0027s email address."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T22:49:32",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8120",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p2"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user can inject arbitrary Javascript code by manipulating section of a POST request related to customer\u0027s email address."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8120",
"datePublished": "2019-11-05T22:49:32",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8118
Vulnerability from cvelistv5
Published
2019-11-05 22:49
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 uses weak cryptographic function to store the failed login attempts for customer accounts.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.530Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 uses weak cryptographic function to store the failed login attempts for customer accounts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cryptographic Flaw",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T22:49:04",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8118",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p2"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 uses weak cryptographic function to store the failed login attempts for customer accounts."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cryptographic Flaw"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8118",
"datePublished": "2019-11-05T22:49:04",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8138
Vulnerability from cvelistv5
Published
2019-11-05 23:22
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can execute arbitrary JavaScript code by providing arbitrary API endpoint that will not be chcecked by sale pickup event.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.908Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can execute arbitrary JavaScript code by providing arbitrary API endpoint that will not be chcecked by sale pickup event."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:22:44",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8138",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can execute arbitrary JavaScript code by providing arbitrary API endpoint that will not be chcecked by sale pickup event."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8138",
"datePublished": "2019-11-05T23:22:44",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8135
Vulnerability from cvelistv5
Published
2019-11-05 23:17
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Dependency injection through Symphony framework allows service identifiers to be derived from user controlled data, which can lead to remote code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.983Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Dependency injection through Symphony framework allows service identifiers to be derived from user controlled data, which can lead to remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:17:17",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8135",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Dependency injection through Symphony framework allows service identifiers to be derived from user controlled data, which can lead to remote code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8135",
"datePublished": "2019-11-05T23:17:17",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.983Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8159
Vulnerability from cvelistv5
Published
2019-11-06 00:01
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with system data manipulation privileges can execute aribitrary code through arbitrary file deletion and OS command injection.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:33.375Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with system data manipulation privileges can execute aribitrary code through arbitrary file deletion and OS command injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-06T00:01:03",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8159",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with system data manipulation privileges can execute aribitrary code through arbitrary file deletion and OS command injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8159",
"datePublished": "2019-11-06T00:01:03",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:33.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8112
Vulnerability from cvelistv5
Published
2019-11-05 22:19
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can bypass the email confirmation mechanism via GET request that captures relevant account data obtained from the POST response related to new user creation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.931Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can bypass the email confirmation mechanism via GET request that captures relevant account data obtained from the POST response related to new user creation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Security bypass",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T22:19:37",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8112",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can bypass the email confirmation mechanism via GET request that captures relevant account data obtained from the POST response related to new user creation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Security bypass"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8112",
"datePublished": "2019-11-05T22:19:37",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8158
Vulnerability from cvelistv5
Published
2019-11-06 00:03
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
An XPath entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An attacker can craft a GET request to page cache block rendering module that gets passed to XML data processing engine without validation. The crafted key/value GET request data allows an attacker to limited access to underlying XML data.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:33.504Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An XPath entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An attacker can craft a GET request to page cache block rendering module that gets passed to XML data processing engine without validation. The crafted key/value GET request data allows an attacker to limited access to underlying XML data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XPath Injection vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-06T00:03:49",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8158",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XPath entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An attacker can craft a GET request to page cache block rendering module that gets passed to XML data processing engine without validation. The crafted key/value GET request data allows an attacker to limited access to underlying XML data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XPath Injection vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8158",
"datePublished": "2019-11-06T00:03:49",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:33.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8126
Vulnerability from cvelistv5
Published
2019-11-05 22:55
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.967Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XML External Entity Injection (XXE)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T22:55:02",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8126",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XML External Entity Injection (XXE)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8126",
"datePublished": "2019-11-05T22:55:02",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8153
Vulnerability from cvelistv5
Published
2019-11-05 23:49
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A mitigation bypass to prevent cross-site scripting (XSS) exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Successful exploitation of this vulnerability would result in an attacker being able to bypass the `escapeURL()` function and execute a malicious XSS payload.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:33.158Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A mitigation bypass to prevent cross-site scripting (XSS) exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Successful exploitation of this vulnerability would result in an attacker being able to bypass the `escapeURL()` function and execute a malicious XSS payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Security bypass",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:49:40",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8153",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A mitigation bypass to prevent cross-site scripting (XSS) exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Successful exploitation of this vulnerability would result in an attacker being able to bypass the `escapeURL()` function and execute a malicious XSS payload."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Security bypass"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8153",
"datePublished": "2019-11-05T23:49:40",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:33.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8233
Vulnerability from cvelistv5
Published
2019-11-05 23:54
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
In Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an unauthenticated user can inject arbitrary JavaScript code as a result of the sanitization engine ignoring HTML comments.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:33.563Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an unauthenticated user can inject arbitrary JavaScript code as a result of the sanitization engine ignoring HTML comments."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:54:25",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8233",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an unauthenticated user can inject arbitrary JavaScript code as a result of the sanitization engine ignoring HTML comments."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8233",
"datePublished": "2019-11-05T23:54:25",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:33.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8137
Vulnerability from cvelistv5
Published
2019-11-05 23:19
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate CMS section of the website can trigger remote code execution via custom layout update.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.979Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate CMS section of the website can trigger remote code execution via custom layout update."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote code execution (RCE)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:19:40",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8137",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate CMS section of the website can trigger remote code execution via custom layout update."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote code execution (RCE)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8137",
"datePublished": "2019-11-05T23:19:40",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8127
Vulnerability from cvelistv5
Published
2019-11-05 22:57
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to an account with Newsletter Template editing permission could exfiltrate the Admin login data, and reset their password, effectively performing a privilege escalation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.860Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to an account with Newsletter Template editing permission could exfiltrate the Admin login data, and reset their password, effectively performing a privilege escalation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T22:57:00",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8127",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to an account with Newsletter Template editing permission could exfiltrate the Admin login data, and reset their password, effectively performing a privilege escalation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8127",
"datePublished": "2019-11-05T22:57:00",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8121
Vulnerability from cvelistv5
Published
2019-11-05 22:49
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
An insecure component vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Magento 2 codebase leveraged outdated versions of JS libraries (Bootstrap, jquery, Knockout) with known security vulnerabilities.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.609Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An insecure component vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Magento 2 codebase leveraged outdated versions of JS libraries (Bootstrap, jquery, Knockout) with known security vulnerabilities."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Using components with known vulnerabilities",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T22:49:47",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8121",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p2"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An insecure component vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Magento 2 codebase leveraged outdated versions of JS libraries (Bootstrap, jquery, Knockout) with known security vulnerabilities."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Using components with known vulnerabilities"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8121",
"datePublished": "2019-11-05T22:49:47",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.609Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8142
Vulnerability from cvelistv5
Published
2019-11-05 23:27
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via title of an order when configuring sales payment methods for a store.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.991Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via title of an order when configuring sales payment methods for a store."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:27:33",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8142",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via title of an order when configuring sales payment methods for a store."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8142",
"datePublished": "2019-11-05T23:27:33",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8108
Vulnerability from cvelistv5
Published
2019-11-05 22:13
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate session validation setting for a storefront that leads to insecure authentication and session management.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:33.024Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate session validation setting for a storefront that leads to insecure authentication and session management."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Broken Authentication",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T22:13:29",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8108",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate session validation setting for a storefront that leads to insecure authentication and session management."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Broken Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8108",
"datePublished": "2019-11-05T22:13:29",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:33.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8148
Vulnerability from cvelistv5
Published
2019-11-05 23:34
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when creating a content page via page builder.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.978Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when creating a content page via page builder."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:34:18",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8148",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when creating a content page via page builder."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8148",
"datePublished": "2019-11-05T23:34:18",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8130
Vulnerability from cvelistv5
Published
2019-11-05 23:06
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with store manipulation privileges can execute arbitrary SQL queries by getting access to the database connection through group instance in email templates.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.999Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with store manipulation privileges can execute arbitrary SQL queries by getting access to the database connection through group instance in email templates."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:06:06",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8130",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with store manipulation privileges can execute arbitrary SQL queries by getting access to the database connection through group instance in email templates."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8130",
"datePublished": "2019-11-05T23:06:06",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8092
Vulnerability from cvelistv5
Published
2019-11-05 22:06
Modified
2024-08-04 21:10
Severity ?
EPSS score ?
Summary
A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via email template preview.
References
| ▼ | URL | Tags |
|---|---|---|
| https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe Systems Incorporated | Magento 2 |
Version: Magento 2.2 prior to 2.2.10 Version: Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:32.520Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 2",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento 2.2 prior to 2.2.10"
},
{
"status": "affected",
"version": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via email template preview."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T22:06:10",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8092",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 2",
"version": {
"version_data": [
{
"version_value": "Magento 2.2 prior to 2.2.10"
},
{
"version_value": "Magento 2.3 prior to 2.3.3 or 2.3.2-p1"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via email template preview."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update",
"refsource": "MISC",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8092",
"datePublished": "2019-11-05T22:06:10",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-08-04T21:10:32.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}