Composer JavaScript injection possible via html comments

2019-11-1222:59:47

Google

osv.dev

0.001 Low

EPSS

Percentile

46.5%

JSON

In Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an unauthenticated user can inject arbitrary JavaScript code as a result of the sanitization engine ignoring HTML comments.

CPENameOperatorVersion
magento/community-editioneq2.2.5
magento/community-editioneq2.3.0
magento/community-editioneq2.2.7
magento/community-editioneq2.2.0
magento/community-editioneq2.2.4
magento/community-editioneq2.2.9
magento/community-editioneq2.3.2-p2
magento/community-editioneq2.2.2
magento/community-editioneq2.2.6
magento/community-editioneq2.3.1

Name	Operator	Version
magento/community-edition	eq	2.2.5
magento/community-edition	eq	2.3.0
magento/community-edition	eq	2.2.7
magento/community-edition	eq	2.2.0
magento/community-edition	eq	2.2.4
magento/community-edition	eq	2.2.9
magento/community-edition	eq	2.3.2-p2
magento/community-edition	eq	2.2.2
magento/community-edition	eq	2.2.6
magento/community-edition	eq	2.3.1