Description

An injection vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with marketing manipulation privileges can invoke methods that alter data of the underlying model followed by corresponding database modifications.

Remediation

References

CVE-2019-7889

Related Vulnerabilities

WordPress Plugin WpGenius Job Listing Cross-Site Scripting (1.0.2)

Oracle JRE CVE-2019-2975 Vulnerability (CVE-2019-2975)

jQuery Validation Other Vulnerability (CVE-2021-43306)

WordPress Plugin Event Single Page Templates Addon For The Events Calendar Security Bypass (1.5)

WordPress Plugin WP Armour-Honeypot Anti Spam Cross-Site Scripting (1.5.6)

Severity

Medium

Classification

CVE-2019-7889 CWE-138 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Tags

Missing Update Known Vulnerabilities