CVE-2019-8228 (GCVE-0-2019-8228)
Vulnerability from cvelistv5 – Published: 2019-11-05 23:59 – Updated: 2024-08-04 21:10
VLAI
EPSS
VEX
Summary
in Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code into transactional email page when creating a new email template or editing existing email template.
Severity
4.8 (Medium)
CWE
- Cross-Site Scripting
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://magento.com/security/patches/supee-11219 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe Systems Incorporated | Magento 1 |
Affected:
Magento Open Source prior to 1.9.4.3
Affected: Magento Commerce prior to 1.14.4.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:10:33.576Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://magento.com/security/patches/supee-11219"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento 1",
"vendor": "Adobe Systems Incorporated",
"versions": [
{
"status": "affected",
"version": "Magento Open Source prior to 1.9.4.3"
},
{
"status": "affected",
"version": "Magento Commerce prior to 1.14.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "in Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code into transactional email page when creating a new email template or editing existing email template."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T23:59:27.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://magento.com/security/patches/supee-11219"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"ID": "CVE-2019-8228",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento 1",
"version": {
"version_data": [
{
"version_value": "Magento Open Source prior to 1.9.4.3"
},
{
"version_value": "Magento Commerce prior to 1.14.4.3"
}
]
}
}
]
},
"vendor_name": "Adobe Systems Incorporated"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "in Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code into transactional email page when creating a new email template or editing existing email template."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://magento.com/security/patches/supee-11219",
"refsource": "MISC",
"url": "https://magento.com/security/patches/supee-11219"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2019-8228",
"datePublished": "2019-11-05T23:59:27.000Z",
"dateReserved": "2019-02-12T00:00:00.000Z",
"dateUpdated": "2024-08-04T21:10:33.576Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2019-8228",
"date": "2026-07-13",
"epss": "0.00517",
"percentile": "0.40357"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*\", \"versionStartIncluding\": \"1.5.0.0\", \"versionEndExcluding\": \"1.9.4.3\", \"matchCriteriaId\": \"D463F1B6-7A1A-45A6-A2B4-654FAFD0E231\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*\", \"versionStartIncluding\": \"1.9.0.0\", \"versionEndExcluding\": \"1.14.4.3\", \"matchCriteriaId\": \"795C485A-D4B2-4B67-9766-D00BC6BE7FA1\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"in Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code into transactional email page when creating a new email template or editing existing email template.\"}, {\"lang\": \"es\", \"value\": \"en Magento versiones anteriores a la versi\\u00f3n 1.9.4.3 y Magento versiones anteriores a la versi\\u00f3n 1.14.4.3, un usuario autenticado con privilegios administrativos limitados puede inyectar c\\u00f3digo JavaScript arbitrario a la p\\u00e1gina de correo electr\\u00f3nico transaccional cuando se crea una nueva plantilla de correo electr\\u00f3nico o se edita la plantilla de correo electr\\u00f3nico existente.\"}]",
"id": "CVE-2019-8228",
"lastModified": "2024-11-21T04:49:31.837",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 4.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.7, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:N/I:P/A:N\", \"baseScore\": 3.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 6.8, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
"published": "2019-11-06T00:15:12.953",
"references": "[{\"url\": \"https://magento.com/security/patches/supee-11219\", \"source\": \"psirt@adobe.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://magento.com/security/patches/supee-11219\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2019-8228\",\"sourceIdentifier\":\"psirt@adobe.com\",\"published\":\"2019-11-06T00:15:12.953\",\"lastModified\":\"2024-11-21T04:49:31.837\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"in Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code into transactional email page when creating a new email template or editing existing email template.\"},{\"lang\":\"es\",\"value\":\"en Magento versiones anteriores a la versi\u00f3n 1.9.4.3 y Magento versiones anteriores a la versi\u00f3n 1.14.4.3, un usuario autenticado con privilegios administrativos limitados puede inyectar c\u00f3digo JavaScript arbitrario a la p\u00e1gina de correo electr\u00f3nico transaccional cuando se crea una nueva plantilla de correo electr\u00f3nico o se edita la plantilla de correo electr\u00f3nico existente.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*\",\"versionStartIncluding\":\"1.5.0.0\",\"versionEndExcluding\":\"1.9.4.3\",\"matchCriteriaId\":\"D463F1B6-7A1A-45A6-A2B4-654FAFD0E231\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*\",\"versionStartIncluding\":\"1.9.0.0\",\"versionEndExcluding\":\"1.14.4.3\",\"matchCriteriaId\":\"795C485A-D4B2-4B67-9766-D00BC6BE7FA1\"}]}]}],\"references\":[{\"url\":\"https://magento.com/security/patches/supee-11219\",\"source\":\"psirt@adobe.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://magento.com/security/patches/supee-11219\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…