CVE-2019-8155Cross-Site Request Forgery in Magento

CWE-352Cross-Site Request Forgery3 documents3 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 79.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
MagentoAdobe Systems Incorporated Magento 1
Timeline
PublishedNov 6
Latest updateMay 24

Description

Magento prior to 1.9.4.3 and prior to 1.14.4.3 included a user's CSRF token in the URL of a GET request. This could be exploited by an attacker with access to network traffic to perform unauthorized actions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDmagento/magento1.5.0.01.9.4.3+1
CVEListV5adobe_systems_incorporated/magento_1Magento Commerce prior to 1.14.4.3, Magento Open Source prior to 1.9.4.3+1

🔴Vulnerability Details

2
GHSA
GHSA-vfgg-4hvr-6rq9: Magento prior to 12022-05-24
CVEList
CVE-2019-8155: Magento prior to 12019-11-05
CVE-2019-8155 — Cross-Site Request Forgery in Magento | cvebase