2 matches found
CVE-2019-8152
A stored cross-site scripting XSS vulnerability exists in in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to the wysiwyg editor can abuse the blockDirective function and inject malicious javascript ...
CVE-2019-8152
Magento 1: stored XSS via wysiwyg blockDirective() in admin cache affects 1.x before 1.9.4.3 and 1.14.4.3; Magento 2: affected if below 2.2.10 (2.2) or below 2.3.3 (2.3) or 2.3.2-p1. Authenticated user with wysiwyg editor access can inject JavaScript into the admin dashboard cache. Mitigation/pat...