Description

A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to store product attributes to inject malicious javascript.

Remediation

References

CVE-2019-7937

Related Vulnerabilities

Oracle Database Server CVE-2013-1538 Vulnerability (CVE-2013-1538)

WordPress Plugin WP Statistics Cross-Site Scripting (9.5.1)

Moodle CVE-2019-3851 Vulnerability (CVE-2019-3851)

WordPress Plugin easyping-website subscriptions done right PHP Object Injection (0.0.1)

WordPress Plugin Nmedia MailChimp Widget 'abs_path' Parameter Remote File Include (3.1)

Severity

Medium

Classification

CVE-2019-7937 CWE-707 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities