SB2019080307 - Multiple vulnerabilities in Magento, Magento Open Source
Published: August 3, 2019 Updated: July 17, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 109 secuirty vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2019-8132)
The vulnerability allows a remote authenticated user to read and manipulate data.
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft malicious payload in the template Name field for Email template in the "Design Configuration" dashboard.
2) Cross-site scripting (CVE-ID: CVE-2019-8145)
The vulnerability allows a remote authenticated user to read and manipulate data.
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into the attribute set name when listing the products.
3) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2019-8156)
The vulnerability allows a remote privileged user to execute arbitrary code.
A server-side request forgery (SSRF) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to modify store configurations can manipulate the connector api endpoint to enable remote code execution.
4) Cross-site scripting (CVE-ID: CVE-2019-8157)
The vulnerability allows a remote authenticated user to read and manipulate data.
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate downloadable link and cause an invocation of error handling that acceses user input without sanitization.
5) XML injection (CVE-ID: CVE-2019-8158)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
An XPath entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An attacker can craft a GET request to page cache block rendering module that gets passed to XML data processing engine without validation. The crafted key/value GET request data allows an attacker to limited access to underlying XML data.
6) Cross-site scripting (CVE-ID: CVE-2019-8128)
The vulnerability allows a remote authenticated user to read and manipulate data.
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting malicious Javascript into the name of main website.
7) Cross-site scripting (CVE-ID: CVE-2019-8129)
The vulnerability allows a remote authenticated user to read and manipulate data.
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting an embedded expression into a translation.
8) SQL injection (CVE-ID: CVE-2019-8130)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
9) Cross-site scripting (CVE-ID: CVE-2019-8131)
The vulnerability allows a remote authenticated user to read and manipulate data.
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into code field of an inventory source.
10) Input validation error (CVE-ID: CVE-2019-8133)
The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.
A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with privileges to generate sitemaps can bypass configuration that restricts directory access. The bypass allows overwrite of a subset of configuration files which can lead to denial of service.
11) SQL injection (CVE-ID: CVE-2019-8134)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
12) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2019-8135)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Dependency injection through Symphony framework allows service identifiers to be derived from user controlled data, which can lead to remote code execution.
13) Input validation error (CVE-ID: CVE-2019-8137)
The vulnerability allows a remote authenticated user to execute arbitrary code.
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate CMS section of the website can trigger remote code execution via custom layout update.
14) Cross-site scripting (CVE-ID: CVE-2019-8138)
The vulnerability allows a remote authenticated user to read and manipulate data.
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can execute arbitrary JavaScript code by providing arbitrary API endpoint that will not be chcecked by sale pickup event.
15) Cross-site scripting (CVE-ID: CVE-2019-8139)
The vulnerability allows a remote authenticated user to read and manipulate data.
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary Javascript code into the dynamic block when invoking page builder on a product.
16) Arbitrary file upload (CVE-ID: CVE-2019-8140)
The vulnerability allows a remote privileged user to manipulate data.
An unrestricted file upload vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can manipulate the Synchronization feature in the Media File Storage of the database to transform uploaded JPEG file into a PHP file.
17) Deserialization of Untrusted Data (CVE-ID: CVE-2019-8141)
The vulnerability allows a remote privileged user to execute arbitrary code.
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with administrative privileges (system level import) can execute arbitrary code through a Phar deserialization vulnerability in the import functionality.
18) Cross-site scripting (CVE-ID: CVE-2019-8142)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via title of an order when configuring sales payment methods for a store. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
19) SQL injection (CVE-ID: CVE-2019-8143)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
20) Cross-site scripting (CVE-ID: CVE-2019-8146)
The vulnerability allows a remote authenticated user to read and manipulate data.
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code when adding a new customer attribute for stores.
21) Cross-site scripting (CVE-ID: CVE-2019-8147)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via customer attribute label. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
22) Cross-site scripting (CVE-ID: CVE-2019-8148)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via page builder. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
23) Session Fixation (CVE-ID: CVE-2019-8149)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can append arbitrary session id that will not be invalidated by subsequent authentication.
24) Input validation error (CVE-ID: CVE-2019-8150)
The vulnerability allows a remote authenticated user to execute arbitrary code.
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate layouts and images can insert a malicious payload into the page layout.
25) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2019-8151)
The vulnerability allows a remote privileged user to execute arbitrary code.
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to manipulate shippment settings can execute arbitrary code through server-side request forgery due to unsafe handling of a carrier gateway.
26) Cross-site scripting (CVE-ID: CVE-2019-8152)
The vulnerability allows a remote authenticated user to read and manipulate data.
A stored cross-site scripting (XSS) vulnerability exists in in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to the wysiwyg editor can abuse the blockDirective() function and inject malicious javascript in the cache of the admin dashboard.
27) Cross-site scripting (CVE-ID: CVE-2019-8153)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
A mitigation bypass to prevent cross-site scripting (XSS) exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Successful exploitation of this vulnerability would result in an attacker being able to bypass the `escapeURL()` function and execute a malicious XSS payload.
28) Input validation error (CVE-ID: CVE-2019-8154)
The vulnerability allows a remote authenticated user to execute arbitrary code.
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to modify product catalogs can trigger PHP file inclusion through a crafted XML file that specifies product design update.
29) OS Command Injection (CVE-ID: CVE-2019-8159)
The vulnerability allows a remote authenticated user to execute arbitrary code.
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with system data manipulation privileges can execute aribitrary code through arbitrary file deletion and OS command injection.
30) Input validation error (CVE-ID: CVE-2019-8232)
The vulnerability allows a remote privileged user to execute arbitrary code.
In Magento prior to 1.9.4.3, Magento prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, and Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an authenticated user with administrative privileges for the import feature can execute arbitrary code through a race condition that allows webserver configuration file modification.
31) Cross-site scripting (CVE-ID: CVE-2019-8233)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
In Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an unauthenticated user can inject arbitrary JavaScript code as a result of the sanitization engine ignoring HTML comments.
32) Improper Authentication (CVE-ID: CVE-2019-8108)
The vulnerability allows a remote authenticated user to manipulate data.
Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate session validation setting for a storefront that leads to insecure authentication and session management.
33) Cross-site request forgery (CVE-ID: CVE-2019-8109)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as craft a malicious CSRF payload that can result in arbitrary command execution.
34) Input validation error (CVE-ID: CVE-2019-8110)
The vulnerability allows a remote authenticated user to execute arbitrary code.
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage email templates hierarchy to manipulate the interceptor class in a way that allows an attacker to execute arbitrary code.
35) Input validation error (CVE-ID: CVE-2019-8111)
The vulnerability allows a remote authenticated user to execute arbitrary code.
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage plugin functionality related to email templates to manipulate the interceptor class in a way that allows an attacker to execute arbitrary code.
36) Insufficient verification of data authenticity (CVE-ID: CVE-2019-8112)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can bypass the email confirmation mechanism via GET request that captures relevant account data obtained from the POST response related to new user creation.
37) Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CVE-ID: CVE-2019-8113)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 uses cryptographically weak random number generator to brute-force the confirmation code for customer registration.
38) Improper Authentication (CVE-ID: CVE-2019-8116)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can leverage a guest session id value following a successful login to gain access to customer account index page.
39) Cleartext storage of sensitive information (CVE-ID: CVE-2019-8118)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 uses weak cryptographic function to store the failed login attempts for customer accounts.
40) Insufficient verification of data authenticity (CVE-ID: CVE-2019-8124)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
An insufficient logging and monitoring vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Failure to track admin actions related to design configuration could lead to repudiation attacks.
41) XML Entity Expansion (CVE-ID: CVE-2019-8126)
The vulnerability allows a remote privileged user to gain access to sensitive information.
An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure.
42) SQL injection (CVE-ID: CVE-2019-8127)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
43) Cross-site request forgery (CVE-ID: CVE-2019-7851)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unintended data deletion from customer pages.
44) Information disclosure (CVE-ID: CVE-2019-7852)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
A path disclosure vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Requests for a specific file path could result in a redirect to the URL of the Magento admin panel, disclosing its location to potentially unauthorized parties.
45) Cross-site scripting (CVE-ID: CVE-2019-7853)
The vulnerability allows a remote privileged user to read and manipulate data.
A stored cross-site scripting vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to the tax notifications configuration in the Magento admin panel.
46) Information disclosure (CVE-ID: CVE-2019-7854)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An insecure direct object reference (IDOR) vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unauthorized disclosure of company credit history details.
47) Cryptographic issues (CVE-ID: CVE-2019-7855)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
A cryptograhic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could be abused by an unauthenticated user to discover an invariant used in gift card generation.
48) Cross-site request forgery (CVE-ID: CVE-2019-7857)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as cause unwanted items to be added to a shopper's cart due to an insufficiently robust anti-CSRF token implementation.
49) Cryptographic issues (CVE-ID: CVE-2019-7858)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
A cryptographic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to 2.3.2 resulted in storage of sensitive information with an algorithm that is insufficiently resistant to brute force attacks.
50) Path traversal (CVE-ID: CVE-2019-7859)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
A path traversal vulnerability in the WYSIWYG editor for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could result in unauthorized access to uploaded images due to insufficient access control.
51) Cryptographic issues (CVE-ID: CVE-2019-7860)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
A cryptographically weak pseudo-rando number generator is used in multiple security relevant contexts in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
52) Arbitrary file upload (CVE-ID: CVE-2019-7861)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
Insufficient server-side validation of user input could allow an attacker to bypass file upload restrictions in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
53) Cross-site scripting (CVE-ID: CVE-2019-7862)
The vulnerability allows a remote privileged user to read and manipulate data.
A reflected cross-site scripting vulnerability exists in the Product widget chooser functionality in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
54) Cross-site scripting (CVE-ID: CVE-2019-7863)
The vulnerability allows a remote privileged user to read and manipulate data.
A stored cross-site scripting vulnerability exists in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to products and categories.
55) Improper access control (CVE-ID: CVE-2019-7864)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An insecure direct object reference (IDOR) vulnerability exists in the RSS feeds of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can lead to unauthorized access to order details.
56) Cross-site request forgery (CVE-ID: CVE-2019-7865)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
57) Cross-site scripting (CVE-ID: CVE-2019-7866)
The vulnerability allows a remote privileged user to read and manipulate data.
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to edit Product information via the TinyMCE editor.
58) Cross-site scripting (CVE-ID: CVE-2019-7867)
The vulnerability allows a remote privileged user to read and manipulate data.
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to manage orders and order status.
59) Cross-site scripting (CVE-ID: CVE-2019-7868)
The vulnerability allows a remote privileged user to read and manipulate data.
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with permissions to manage tax rules.
60) Cross-site scripting (CVE-ID: CVE-2019-7869)
The vulnerability allows a remote privileged user to read and manipulate data.
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with permissions to manage customer groups.
61) Security Features (CVE-ID: CVE-2019-7871)
The vulnerability allows a remote authenticated user to execute arbitrary code.
A security bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 that could be abused to execute arbitrary PHP code. An authenticated user can bypass security protections that prevent arbitrary PHP script upload via form data injection.
62) Improper Authorization (CVE-ID: CVE-2019-7872)
The vulnerability allows a remote privileged user to read and manipulate data.
An insecure direct object reference (IDOR) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to insufficient authorizations checks. This can be abused by a user with admin privileges to add users to company accounts or modify existing user details.
63) Cross-site request forgery (CVE-ID: CVE-2019-7873)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can result in unintended deletion of the store design schedule.
64) Cross-site request forgery (CVE-ID: CVE-2019-7874)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can result in unintended deletion of user roles.
65) Cross-site scripting (CVE-ID: CVE-2019-7875)
The vulnerability allows a remote privileged user to read and manipulate data.
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to newsletter templates.
66) Input validation error (CVE-ID: CVE-2019-7876)
The vulnerability allows a remote authenticated user to execute arbitrary code.
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manipulate layouts can insert a malicious payload into the layout.
67) Cross-site scripting (CVE-ID: CVE-2019-7877)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manage orders can inject malicious javascript.
68) Cross-site scripting (CVE-ID: CVE-2019-7880)
The vulnerability allows a remote privileged user to read and manipulate data.
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to marketing email templates to inject malicious javascript.
69) Cross-site scripting (CVE-ID: CVE-2019-7881)
The vulnerability allows a remote authenticated user to read and manipulate data.
A cross-site scripting mitigation bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user to escalate privileges (admin vs. admin XSS attack).
70) Cross-site scripting (CVE-ID: CVE-2019-7882)
The vulnerability allows a remote authenticated user to read and manipulate data.
A stored cross-site scripting vulnerability exists in the WYSIWYG editor of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the editor can inject malicious SWF files.
71) Input validation error (CVE-ID: CVE-2019-7885)
The vulnerability allows a remote authenticated user to execute arbitrary code.
Insufficient input validation in the config builder of the Elastic search module could lead to remote code execution in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This vulnerability could be abused by an authenticated user with the ability to configure the catalog search.
72) Cryptographic issues (CVE-ID: CVE-2019-7886)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
A cryptograhic flaw exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A weak cryptograhic mechanism is used to generate the intialization vector in multiple security relevant contexts.
73) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2019-7889)
The vulnerability allows a remote authenticated user to manipulate data.
An injection vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with marketing manipulation privileges can invoke methods that alter data of the underlying model followed by corresponding database modifications.
74) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-7890)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
An Insecure Direct Object Reference (IDOR) vulnerability exists in the order processing workflow of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can lead to unauthorized access to order details.
75) Code Injection (CVE-ID: CVE-2019-7892)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in server-side request forgery. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
76) Input validation error (CVE-ID: CVE-2019-7895)
The vulnerability allows a remote privileged user to execute arbitrary code.
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to layouts can execute arbitrary code through a crafted XML layout update.
77) Input validation error (CVE-ID: CVE-2019-7896)
The vulnerability allows a remote privileged user to execute arbitrary code.
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to layouts can execute arbitrary code through a combination of product import, crafted csv file and XML layout update.
78) Cross-site scripting (CVE-ID: CVE-2019-7897)
The vulnerability allows a remote privileged user to read and manipulate data.
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to customer configurations to inject malicious javascript.
79) Input validation error (CVE-ID: CVE-2019-7898)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Samples of disabled downloadable products are accessible in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to inadequate validation of user input.
80) Input validation error (CVE-ID: CVE-2019-7899)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Names of disabled downloadable products could be disclosed due to inadequate validation of user input in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
81) Improper access control (CVE-ID: CVE-2019-7904)
The vulnerability allows a remote authenticated user to manipulate data.
Insufficient enforcement of user access controls in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could enable a low-privileged user to make unauthorized environment configuration changes.
82) Cross-site scripting (CVE-ID: CVE-2019-7908)
The vulnerability allows a remote privileged user to read and manipulate data.
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify product information.
83) Cross-site scripting (CVE-ID: CVE-2019-7909)
The vulnerability allows a remote privileged user to read and manipulate data.
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to email templates.
84) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2019-7911)
The vulnerability allows a remote privileged user to execute arbitrary code.
A server-side request forgery (SSRF) vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to the admin panel to manipulate system configuration and execute arbitrary code.
85) Arbitrary file upload (CVE-ID: CVE-2019-7912)
The vulnerability allows a remote privileged user to execute arbitrary code.
A file upload filter bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with admin privileges to edit configuration keys to remove file extension filters, potentially resulting in the malicious upload and execution of malicious files on the server.
86) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2019-7913)
The vulnerability allows a remote privileged user to execute arbitrary code.
A server-side request forgery (SSRF) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with admin privileges to manipulate shipment methods to execute arbitrary code.
87) Input validation error (CVE-ID: CVE-2019-7915)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
A denial-of-service vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Under certain conditions, an unauthenticated attacker could force the Magento store's full page cache to serve a 404 page to customers.
88) Cross-site scripting (CVE-ID: CVE-2019-7921)
The vulnerability allows a remote authenticated user to read and manipulate data.
A stored cross-site scripting vulnerability exists in the product catalog form of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to the product catalog to inject malicious javascript.
89) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2019-7923)
The vulnerability allows a remote privileged user to execute arbitrary code.
A server-side request forgery (SSRF) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by authenticated user with admin privileges to manipulate shipment settings to execute arbitrary code.
90) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-7925)
The vulnerability allows a remote privileged user to manipulate data.
An insecure direct object reference (IDOR) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an administrator with limited privileges to delete the downloadable products folder.
91) Cross-site scripting (CVE-ID: CVE-2019-7926)
The vulnerability allows a remote privileged user to read and manipulate data.
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify node attributes to inject malicious javascript.
92) Cross-site scripting (CVE-ID: CVE-2019-7927)
The vulnerability allows a remote privileged user to read and manipulate data.
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to edit product content pages to inject malicious javascript.
93) Input validation error (CVE-ID: CVE-2019-7928)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
A denial-of-service (DoS) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. By abusing insufficient brute-forcing defenses in the token exchange protocol, an unauthenticated attacker could disrupt transactions between the Magento merchant and PayPal.
94) Information disclosure (CVE-ID: CVE-2019-7929)
The vulnerability allows a remote privileged user to gain access to sensitive information.
An information leakage vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges may be able to view metadata of a trusted device used by another administrator via a crafted http request.
95) Arbitrary file upload (CVE-ID: CVE-2019-7930)
The vulnerability allows a remote privileged user to execute arbitrary code.
A file upload restriction bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to the import feature can make modifications to a configuration file, resulting in potentially unauthorized removal of file upload restrictions. This can result in arbitrary code execution when a malicious file is then uploaded and executed on the system.
96) Code Injection (CVE-ID: CVE-2019-7932)
The vulnerability allows a remote privileged user to execute arbitrary code.
A remote code execution vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create sitemaps can execute arbitrary PHP code by creating a malicious sitemap file.
97) Cross-site scripting (CVE-ID: CVE-2019-7934)
The vulnerability allows a remote privileged user to read and manipulate data.
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to edit newsletter templates to inject malicious javascript.
98) Cross-site scripting (CVE-ID: CVE-2019-7935)
The vulnerability allows a remote privileged user to read and manipulate data.
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify content page titles to inject malicious javascript.
99) Cross-site scripting (CVE-ID: CVE-2019-7936)
The vulnerability allows a remote privileged user to read and manipulate data.
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify content block titles to inject malicious javascript.
100) Cross-site scripting (CVE-ID: CVE-2019-7937)
The vulnerability allows a remote privileged user to read and manipulate data.
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to store product attributes to inject malicious javascript.
101) Cross-site scripting (CVE-ID: CVE-2019-7938)
The vulnerability allows a remote privileged user to read and manipulate data.
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify catalog price rules to inject malicious javascript.
102) Cross-site scripting (CVE-ID: CVE-2019-7939)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
A reflected cross-site scripting vulnerability exists on the customer cart checkout page of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by sending a victim a crafted URL that results in malicious javascript execution in the victim's browser.
103) Cross-site scripting (CVE-ID: CVE-2019-7940)
The vulnerability allows a remote privileged user to read and manipulate data.
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify store currency options to inject malicious javascript.
104) Code Injection (CVE-ID: CVE-2019-7942)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in malicious XML layout updates. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
105) Cross-site scripting (CVE-ID: CVE-2019-7944)
The vulnerability allows a remote authenticated user to read and manipulate data.
A stored cross-site scripting vulnerability exists in the product comments field of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the Return Product comments field can inject malicious javascript.
106) Cross-site scripting (CVE-ID: CVE-2019-7945)
The vulnerability allows a remote authenticated user to read and manipulate data.
A stored cross-cite scripting vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to modify currency symbols can inject malicious javascript.
107) Cross-site request forgery (CVE-ID: CVE-2019-7947)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
A cross-site request forgery vulnerability exists in the GiftCardAccount removal feature for Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
108) Improper access control (CVE-ID: CVE-2019-7950)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An access control bypass vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An unauthenticated user can bypass access controls via REST API calls to assign themselves to an arbitrary company, thereby gaining read access to potentially confidental information.
109) Information disclosure (CVE-ID: CVE-2019-7951)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An information leakage vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A SOAP web service endpoint does not properly enforce parameters related to access control. This could be abused to leak customer information via crafted SOAP requests.
Remediation
Install update from vendor's website.
References
- https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update
- https://magento.com/security/patches/supee-11219
- https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33
- https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23
- https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-24
- https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13