Description

A stored cross-site scripting vulnerability exists in the WYSIWYG editor of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the editor can inject malicious SWF files.

Remediation

References

CVE-2019-7882

Related Vulnerabilities

WordPress Plugin Simply Poll Cross-Site Scripting and Cross-Site Request Forgery Vulnerabilities (1.4.1)

WebLogic Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2020-28491)

WordPress Plugin PlanSo Forms Cross-Site Scripting (2.6.3)

WordPress Plugin Form Builder-Create Responsive Contact Forms Cross-Site Scripting (1.9.8.3)

MyBB Insertion of Sensitive Information into Log File Vulnerability (CVE-2015-8977)

Severity

Medium

Classification

CVE-2019-7882 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Tags

Missing Update Known Vulnerabilities