Description

A stored cross-site scripting vulnerability exists in the product comments field of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the Return Product comments field can inject malicious javascript.

Remediation

References

CVE-2019-7944

Related Vulnerabilities

Owncloud Cross-site Scripting (XSS) Vulnerability (CVE-2020-16255)

phpList Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-23190)

WordPress Plugin User Registration, Login & Landing Pages-LeadMagic Cross-Site Scripting (1.2.7)

SugarCRM Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2019-17298)

WordPress Plugin WPFront Scroll Top Cross-Site Scripting (2.0.6.07225)

Severity

Medium

Classification

CVE-2019-7944 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Tags

Missing Update Known Vulnerabilities