#VU30937 Cross-site scripting in Magento Open Source


Published: 2019-08-03 | Updated: 2020-07-17

Vulnerability identifier: #VU30937

Vulnerability risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-7939

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Magento Open Source
Web applications / E-Commerce systems

Vendor: Magento, Inc

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

A reflected cross-site scripting vulnerability exists on the customer cart checkout page of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by sending a victim a crafted URL that results in malicious javascript execution in the victim's browser.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Magento Open Source: 2.3.0 - 2.3.1


External links
http://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability