Lucene search

GitHub Advisory DatabaseGHSA-GG96-8W9X-7RX9

HistoryMay 24, 2022 - 4:52 p.m.

Magento 2 Community Edition Cross-site Scripting Vulnerability

2022-05-2416:52:27

CWE-79

GitHub Advisory Database

github.com

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

27.3%

JSON

A stored cross-site scripting vulnerability exists in the product catalog form of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to the product catalog to inject malicious javascript.

Affected configurations

Vulners

Node

magentomagentoRange<2.3.2community

magentomagentoRange<2.2.9community

magentomagentoRange<2.1.18community

CPENameOperatorVersion
magento/community-editionlt2.3.2
magento/community-editionlt2.2.9
magento/community-editionlt2.1.18

Name	Operator	Version
magento/community-edition	lt	2.3.2
magento/community-edition	lt	2.2.9
magento/community-edition	lt	2.1.18

References

github.com/advisories/GHSA-gg96-8w9x-7rx9

github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7921.yaml

magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23

nvd.nist.gov/vuln/detail/CVE-2019-7921

web.archive.org/web/20220121051916/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

27.3%

JSON

Related for GHSA-GG96-8W9X-7RX9