Description

A reflected cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 when the feature that adds a secret key to the Admin URL is disabled.

Remediation

References

CVE-2019-7887

Related Vulnerabilities

Joomla! Core 3.x.x Security Bypass (3.0.0 - 3.9.24)

Drupal Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-9015)

Sqlite CVE-2021-36690 Vulnerability (CVE-2021-36690)

XWiki Incorrect Authorization Vulnerability (CVE-2022-23615)

Moodle Improper Input Validation Vulnerability (CVE-2011-4582)

Severity

Medium

Classification

CVE-2019-7887 CWE-707 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities