Description

Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can leverage a guest session id value following a successful login to gain access to customer account index page.

Remediation

References

CVE-2019-8116

Related Vulnerabilities

Roundcube Cross-site Scripting (XSS) Vulnerability (CVE-2015-8105)

Contao Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2021-37626)

WordPress Plugin ReviewX-Multi-criteria Rating & Reviews for WooCommerce CSV Injection (1.6.7)

WordPress Plugin Polo Video Gallery-Best wordpress video gallery Cross-Site Scripting (1.2)

OpenSSL NULL Pointer Dereference Vulnerability (CVE-2022-3358)

Severity

High

Classification

CVE-2019-8116 CWE-384 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities