CVE-2019-8228Cross-site Scripting in Magento

CWE-79Cross-site Scripting3 documents3 sources
Severity
4.8MEDIUMNVD
EPSS
1.8%
top 17.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
MagentoMagento Community-editionAdobe Systems Incorporated Magento 1
Timeline
PublishedNov 6
Latest updateMay 24

Description

in Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code into transactional email page when creating a new email template or editing existing email template.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages3 packages

NVDmagento/magento1.5.0.01.9.4.3+1
Packagistmagento/community-edition< 1.9.4.3
CVEListV5adobe_systems_incorporated/magento_1Magento Commerce prior to 1.14.4.3, Magento Open Source prior to 1.9.4.3+1

🔴Vulnerability Details

2
GHSA
Withdrawn Advisory: Magento 2 Community Edition XSS Vulnerability2022-05-24
CVEList
CVE-2019-8228: in Magento prior to 12019-11-05
CVE-2019-8228 — Cross-site Scripting in Magento | cvebase