Description

A reflected cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 when the feature that adds a secret key to the Admin URL is disabled.

Remediation

References

CVE-2019-7887

Related Vulnerabilities

Apache HTTP Server Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2022-30556)

Roundcube Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2009-4076)

WordPress Plugin Popular Posts by BestWebSoft Cross-Site Scripting (1.0.4)

Caddy Web Server URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2022-29718)

WordPress Plugin Live Chat for Fanpage Cross-Site Scripting (2.0.1)

Severity

Medium

Classification

CVE-2019-7887 CWE-707 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities