Multiple vulnerabilities in Magento products
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 34 |
| CVE-ID | N/A |
| CWE-ID | CWE-264 CWE-352 CWE-300 CWE-20 CWE-79 CWE-200 CWE-22 CWE-94 CWE-601 CWE-384 CWE-190 CWE-284 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Adobe Commerce (formerly Magento Commerce) Web applications / E-Commerce systems Magento Open Source Web applications / E-Commerce systems |
| Vendor | Magento, Inc |
Security Bulletin
This security bulletin contains information about 34 vulnerabilities.
1) Remote code execution
EUVDB-ID: #VU8453
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.
The weakness exists due to unknown error. A remote attacker can introduce malicious code when creating a new CMS Page and execute arbitrary code.
The vulnerability is addressed in the following versions:
Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, Magento 2.0.16 and 2.1.9.
Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 2.1.6
Magento Open Source: 1.9.0.0 - 1.9.3.5
External linkshttp://magento.com/security/patches/magento-2016-and-219-security-update
(APPSEC-1800: Remote Code Execution vulnerability in CMS and layouts)
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cross-site request forgery
EUVDB-ID: #VU8454
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to perform CSRF attack.
The weakness exists due to improper input validation in the customer group. A remote attacker can create a specially crafted HTML page or URL, trick the victim into visiting it, gain access to the system and perform arbitrary actions.
MitigationThe vulnerability is addressed in the following versions:
Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, Magento 2.0.16 and 2.1.9.
Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 2.1.6
Magento Open Source: 1.9.0.0 - 1.9.3.5
External linkshttp://magento.com/security/patches/magento-2016-and-219-security-update
(APPSEC-1852: CSRF + Stored Cross Site Scripting (customer group))
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Stored XSS
EUVDB-ID: #VU8455
Risk: Low
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote authenticated attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks
MitigationThe vulnerability is addressed in the following versions:
Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, Magento 2.0.16 and 2.1.9.
(APPSEC-1494: AdminNotification Stored XSS)
Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 2.1.6
Magento Open Source: 1.9.0.0 - 1.9.3.5
External linkshttp://magento.com/security/patches/magento-2016-and-219-security-update
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Remote code execution
EUVDB-ID: #VU8456
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.
The weakness exists due to executable scripting uploads in non Apache installation. A remote attacker can execute arbitrary code.
The vulnerability is addressed in the following versions:
Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, Magento 2.0.16 and 2.1.9.
Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 2.1.6
Magento Open Source: 1.9.0.0 - 1.9.3.5
External linkshttp://magento.com/security/patches/magento-2016-and-219-security-update
(APPSEC-1793: Potential file uploads solely protected by .htaccess)
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Cross-site request forgery
EUVDB-ID: #VU8457
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to perform CSRF attack.
The weakness exists due to improper input validation in the newsletter template. A remote attacker can create a specially crafted HTML page or URL, trick the victim into visiting it, gain access to the system and perform arbitrary actions.
MitigationThe vulnerability is addressed in the following versions:
Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, Magento 2.0.16 and 2.1.9.
Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 2.1.6
Magento Open Source: 1.9.0.0 - 1.9.3.5
External linkshttp://magento.com/security/patches/magento-2016-and-219-security-update
(APPSEC-1853: CSRF + Stored Cross Site Scripting in newsletter template)
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Cross-site scripting
EUVDB-ID: #VU8458
Risk: Low
CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote administrator attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationThe vulnerability is addressed in the following versions:
Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, Magento 2.0.16 and 2.1.9.
Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 2.1.6
Magento Open Source: 1.9.0.0 - 1.9.3.5
External linkshttp://magento.com/security/patches/magento-2016-and-219-security-update
(APPSEC-1729: XSS in admin order view using order status label in Magento)
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Information disclosure
EUVDB-ID: #VU8459
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can craft a URL request on a Magento site during checkout and retrieve information about past orders.
MitigationThe vulnerability is addressed in the following versions:
Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, Magento 2.0.16 and 2.1.9.
Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 2.1.6
Magento Open Source: 1.9.0.0 - 1.9.3.5
External linkshttp://magento.com/security/patches/magento-2016-and-219-security-update
(APPSEC-1588: Order Item Custom Option Disclosure)
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Information disclosure
EUVDB-ID: #VU8460
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to incorrect handling of autocomplete by several fields in the Admin panel. A remote attacker can obtain arbitrary data when a browser tries to autocomplete the field.
MitigationThe vulnerability is addressed in the following versions:
Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, Magento 2.0.16 and 2.1.9.
Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 2.1.6
Magento Open Source: 1.9.0.0 - 1.9.3.5
External linkshttp://magento.com/security/patches/magento-2016-and-219-security-update
(APPSEC-1599: Admin login does not handle autocomplete feature correctly)
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Path traversal
EUVDB-ID: #VU8461
Risk: Low
CVSSv3.1: 3.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to view contents of arbitrary files on the system.
The vulnerability exists due to insufficient input validation in theme creation function. A remote administrator with limited privileges can view or delete arbitrary files on the target system.
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Path traversal
EUVDB-ID: #VU8462
Risk: Low
CVSSv3.1: 3.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to view contents of arbitrary files on the system.
The vulnerability exists due to insufficient input validation in Delete Files module. A remote administrator with limited privileges can view or delete arbitrary files on the target system.
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Path traversal
EUVDB-ID: #VU8463
Risk: Low
CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to view contents of arbitrary files on the system.
The vulnerability exists due to insufficient input validation in Magento functional tests. A remote administrator with limited privileges can delete arbitrary files or execute arbitray commands on vulnerable system.
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Information disclosure
EUVDB-ID: #VU8464
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker can gain access to potentially sensitive information.
The vulnerability exists due to insecure algorithm when generating cookies for orders. A remote attacker with access to generic order information can generate a cookie collision and obtain order information.
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Path traversal
EUVDB-ID: #VU8465
Risk: Low
CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to view contents of arbitrary files on the system.
The vulnerability exists due to insufficient input validation in the sitemap functionality. A remote administrator with limited privileges can use the sitemap generation tool to arbitrarily overwrite sensitive files.
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Information disclosure
EUVDB-ID: #VU8466
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker can gain access to potentially sensitive information.
The vulnerability exists due to several Magento site URLs leak sensitive information that can include verbose error messages and controller location. A remote attacker can use this information to exploit other vulnerabilities.
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Open redirect
EUVDB-ID: #VU8467
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform phishing attacks.
The vulnerability exists due to an error in redirection functionality. A remote attacker can perform a phishing attacks agains website users.
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Stored XSS
EUVDB-ID: #VU8468
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated administrator to perform XSS attacks.
The vulnerability exists due to insufficient input sanitization when processing custom product attributes. A remote authenticated administrator can permanently inject and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Session fixation
EUVDB-ID: #VU8469
Risk: Low
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-384 - Session Fixation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform session fixation attacks.
The vulnerability exists due an error in session expiraton functinality. A remote attacker can login to the website through one of the expired user's sessions.
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Information disclosure
EUVDB-ID: #VU8470
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker can gain access to potentially sensitive information.
The vulnerability exists due to an error in account lockout mechanism. A remote attacker can obtain Magento site's contact e-mail.
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Cross-site request forgery
EUVDB-ID: #VU8471
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform CSRF attacks
The vulnerability exists due to absence of CSRF protection in customer registration process. A remote attacker can perform CSRF attacks and create arbitrary number of user accounts on the website.
Mitigation
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Stored XSS
EUVDB-ID: #VU8472
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated administrator to perform XSS attacks.
The vulnerability exists due to insufficient input sanitization when processing page titles. A remote authenticated administrator can permanently inject and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Cross-site request forgery
EUVDB-ID: #VU8473
Risk: Low
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform CSRF attacks
The vulnerability exists due to anti-CSRF form_key token is not changed after user login. A remote attacker can intercept the token before authorization and perform CSRF attacks against website users.
Mitigation
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Information disclosure
EUVDB-ID: #VU8474
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker can gain access to potentially sensitive information.
The vulnerability exists due to the Magento email replies to product requests expose the system path of
the Magento installation. A remote attacker can leverage the system path to
enable the use of other vulnerabilities.
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Stored XSS
EUVDB-ID: #VU8475
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated administrator to perform XSS attacks.
The vulnerability exists due to insufficient input sanitization when processing email templates. A remote authenticated administrator can permanently inject and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Information disclosure
EUVDB-ID: #VU8476
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker can gain access to potentially sensitive information.
The vulnerability exists due to unknown error. A remote attacker can visit an internal URL and see the status of a Magento upgrade.
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Stored XSS
EUVDB-ID: #VU8477
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated administrator to perform XSS attacks.
The vulnerability exists due to insufficient input sanitization when processing product thumbnails. A remote authenticated administrator can permanently inject and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Stored XSS
EUVDB-ID: #VU8478
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated administrator to perform XSS attacks.
The vulnerability exists due to insufficient input sanitization when processing product thumbnails. A remote authenticated administrator can permanently inject and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
27) Stored XSS
EUVDB-ID: #VU8479
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated administrator to perform XSS attacks.
The vulnerability exists due to insufficient input sanitization when processing product thumbnails. A remote authenticated administrator can permanently inject and execute arbitrary HTML and script code in the integration activation in context of vulnerable website.
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
28) Stored XSS
EUVDB-ID: #VU8480
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated administrator to perform XSS attacks.
The vulnerability exists due to insufficient input sanitization when processing order view through the order code label. A remote authenticated administrator can permanently inject and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
29) Stored XSS
EUVDB-ID: #VU8481
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated administrator to perform XSS attacks.
The vulnerability exists due to insufficient input sanitization when processing SVG images in Favicon. A remote authenticated administrator can permanently inject and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
30) Integer overflow
EUVDB-ID: #VU8482
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to cause DoS condition.
The vulnerability exists due to integer overflow. A remote attacker can modify the page counter when creating a new page and cause denial of service.
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
31) Session hijacking
EUVDB-ID: #VU8483
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-384 - Session Fixation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform session fixation attacks.
The vulnerability exists due to Customer and Admin tokens do not expire correctly. A remote attacker can login to the website through one of the expired user's sessions.
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
32) Improper access control
EUVDB-ID: #VU8484
Risk: Low
CVSSv3.1: 2.4 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote administrator to change favicon icon for entire website.
A Magento administrator with limited privileges can update the Favicon image for the entire site.
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
33) Improper access control
EUVDB-ID: #VU8485
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions.
The vulnerability exists due to improper check of Access Control Lists in the quick edits grid. A remote attacker can bypass security restrictions and perform further attacks.
Update to version 2.0.16 or 2.1.9.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
34) Improper access control
EUVDB-ID: #VU8486
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to modify order fields.
The vulnerability exists due to improper access controls. A remote attacker can can modify order fields that they do not have permission to view.
MitigationThe vulnerability is addressed in the following versions:
Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, Magento 2.0.16 and 2.1.9.
Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 2.1.6
Magento Open Source: 1.9.0.0 - 1.9.3.5
External linkshttp://magento.com/security/patches/magento-2016-and-219-security-update
(APPSEC-1495: Any user can interact with the sales order function despite not being authorized)
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
