Description

A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to manage orders and order status.

Remediation

References

CVE-2019-7867

Related Vulnerabilities

phpMyFAQ Improper Restriction of Excessive Authentication Attempts Vulnerability (CVE-2017-11187)

WordPress Plugin Widgets for WooCommerce Products on Elementor Cross-Site Scripting (1.0.7)

GlassFish Observable Discrepancy Vulnerability (CVE-2013-1620)

Dolibarr Improper Input Validation Vulnerability (CVE-2022-0174)

WebLogic Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-10219)

Severity

Medium

Classification

CVE-2019-7867 CWE-707 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities