Description

A reflected cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 when the feature that adds a secret key to the Admin URL is disabled.

Remediation

References

CVE-2019-7887

Related Vulnerabilities

MySQL CVE-2018-3203 Vulnerability (CVE-2018-3203)

WordPress Plugin NEX-Forms Lite-WordPress Contact Form builder Cross-Site Scripting (2.1.0)

PHP Improper Input Validation Vulnerability (CVE-2011-1470)

WordPress Plugin MC4WP:Mailchimp for WordPress Cross-Site Scripting (4.1.6)

WordPress Plugin Gallery-Video Gallery and Youtube Gallery Cross-Site Scripting (1.7.01)

Severity

Medium

Classification

CVE-2019-7887 CWE-707 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities