Description

A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to edit newsletter templates to inject malicious javascript.

Remediation

References

CVE-2019-7934

Related Vulnerabilities

MySQL CVE-2019-2738 Vulnerability (CVE-2019-2738)

WordPress Plugin Copperleaf Photolog 'cplphoto.php' SQL Injection (0.16)

Jboss EAP CVE-2016-6796 Vulnerability (CVE-2016-6796)

MySQL CVE-2013-5860 Vulnerability (CVE-2013-5860)

LimeSurvey Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2019-16177)

Severity

Medium

Classification

CVE-2019-7934 CWE-707 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities