#VU30904 Cross-site scripting in Magento Open Source - CVE-2019-7881
Published: August 3, 2019 / Updated: July 17, 2020
Vulnerability identifier: #VU30904
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-7881
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Magento Open Source
Magento Open Source
Software vendor:
Adobe
Adobe
Description
The vulnerability allows a remote authenticated user to read and manipulate data.
A cross-site scripting mitigation bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user to escalate privileges (admin vs. admin XSS attack).
Remediation
Install update from vendor's website.