Description

A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manage orders can inject malicious javascript.

Remediation

References

CVE-2019-7877

Related Vulnerabilities

Apache HTTP Server Other Vulnerability (CVE-2002-0840)

WordPress Plugin Smart Layers by AddThis Unspecified Vulnerability (1.0.1)

WordPress 4.5.x Multiple Vulnerabilities (4.5 - 4.5.24)

Apache HTTP Server Use After Free Vulnerability (CVE-2019-0196)

Atlassian Jira Server-Side Request Forgery (SSRF) Vulnerability (CVE-2019-20408)

Severity

Medium

Classification

CVE-2019-7877 CWE-707 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Tags

Missing Update Known Vulnerabilities