Magento Community-Edition vulnerabilities
355 known vulnerabilities affecting magento/community-edition.
Total CVEs
355
CISA KEV
3
actively exploited
Public exploits
4
Exploited in wild
5
Severity breakdown
CRITICAL41HIGH105MEDIUM192LOW17
Vulnerabilities
Page 14 of 18
CVE-2019-8132P4MEDIUM≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8132 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability
Magento 2 Community Edition XSS Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft malicious payload in the template Name field for Email template in the "Design Configuration" dashboard.
ghsaosv
CVE-2019-8128P4MEDIUM≥ 2.2, < 2.2.10≥ 2.3, < 2.3.2-p12022-05-24
CVE-2019-8128 [MEDIUM] CWE-79 Magento Cross-Site Scripting via store name
Magento Cross-Site Scripting via store name
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting malicious Javascript into the name of main website.
ghsaosv
CVE-2024-45129P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p3≥ 2.4.6-p1, < 2.4.6-p8+2 more2024-10-10
CVE-2024-45129 [MEDIUM] CWE-284 Magento Open Source Improper Access Control vulnerability
Magento Open Source Improper Access Control vulnerability
Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in Privilege escalation. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on integrity. Exploitation of this issue does not require us
ghsaosv
CVE-2024-45121P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p3≥ 2.4.6-p1, < 2.4.6-p8+2 more2024-10-10
CVE-2024-45121 [MEDIUM] CWE-284 Magento Open Source Improper Access Control vulnerability
Magento Open Source Improper Access Control vulnerability
Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on integrity. Exploitation of this issue does not requi
ghsaosv
CVE-2024-45130P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p3≥ 2.4.6-p1, < 2.4.6-p8+2 more2024-10-10
CVE-2024-45130 [MEDIUM] CWE-284 Magento Open Source Improper Access Control vulnerability
Magento Open Source Improper Access Control vulnerability
Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on integrity. Exploitation of this issue does not requi
ghsaosv
CVE-2018-5301P4MEDIUM≥ 0, < 2.0.10≥ 2.1.0, < 2.1.22022-05-14
CVE-2018-5301 [MEDIUM] CWE-352 Magento Cross-Site Request Forgery (CSRF)
Magento Cross-Site Request Forgery (CSRF)
Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have CSRF resulting in deletion of a customer address from an address book, aka APPSEC-1433.
ghsaosv
CVE-2024-45123P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p3≥ 2.4.6-p1, < 2.4.6-p8+2 more2024-10-10
CVE-2024-45123 [MEDIUM] CWE-79 Magento Open Source reflected Cross-Site Scripting (XSS) vulnerability
Magento Open Source reflected Cross-Site Scripting (XSS) vulnerability
Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's brows
ghsaosv
CVE-2021-21027P4MEDIUM≥ 0, < 2.3.6-p1≥ 2.4.0, < 2.4.22022-05-24
CVE-2021-21027 [MEDIUM] CWE-352 Magento cross-site request forgery (CSRF) vulnerability via the GraphQL API
Magento cross-site request forgery (CSRF) vulnerability via the GraphQL API
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via the GraphQL API. Successful exploitation could lead to unauthorized modification of customer metadata by an unauthenticated attacker. Access to the admin consol
ghsaosv
CVE-2020-24405P4MEDIUM≥ 0, < 2.3.6≥ 2.4.0, < 2.4.12022-05-24
CVE-2020-24405 [MEDIUM] CWE-285 Magento incorrect permissions vulnerability in the Inventory module
Magento incorrect permissions vulnerability in the Inventory module
Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions issue vulnerability in the Inventory module. This vulnerability could be abused by authenticated users to modify inventory stock data without authorization.
ghsaosv
CVE-2020-9584P4MEDIUM≥ 2.3.0, < 2.3.4-p2≥ 0, < 2.2.122022-05-24
CVE-2020-9584 [MEDIUM] CWE-79 Magento Stored cross-site scripting
Magento Stored cross-site scripting
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
ghsaosv
CVE-2019-8113P4MEDIUM≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8113 [MEDIUM] CWE-338 Magento 2 Community Weak PRNG
Magento 2 Community Weak PRNG
Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 uses cryptographically weak random number generator to brute-force the confirmation code for customer registration.
ghsaosv
CVE-2019-8118P4MEDIUM≥ 2.1.0, < 2.1.19≥ 2.2.0, < 2.2.10+1 more2022-05-24
CVE-2019-8118 [MEDIUM] CWE-312 Magento 2 Community Edition Weak Cryptography
Magento 2 Community Edition Weak Cryptography
Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 uses weak cryptographic function to store the failed login attempts for customer accounts.
ghsaosv
CVE-2023-29288P4MEDIUM≥ 2.4.5-p1, < 2.4.5-p3≥ 2.4.4-p1, < 2.4.4-p42023-06-15
CVE-2023-29288 [MEDIUM] CWE-863 Magento Open Source allows Incorrect Authorization
Magento Open Source allows Incorrect Authorization
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A privileged attacker could leverage this vulnerability to modify a minor functionality of another user's data. Exploitation of this issue does not require user inte
ghsaosv
CVE-2023-29296P4LOW≥ 2.4.5-p1, < 2.4.5-p3≥ 2.4.4-p1, < 2.4.4-p42023-06-15
CVE-2023-29296 [LOW] CWE-863 Magento Open Source allows Incorrect Authorization
Magento Open Source allows Incorrect Authorization
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to modify a minor functionality of another user's data. Exploitation of this issue does not require user int
ghsaosv
CVE-2023-29295P4LOW≥ 2.4.5-p1, < 2.4.5-p3≥ 2.4.4-p1, < 2.4.4-p42023-06-15
CVE-2023-29295 [LOW] CWE-863 Magento Open Source allows Incorrect Authorization
Magento Open Source allows Incorrect Authorization
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass a minor functionality. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2019-7921P4MEDIUM≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7921 [MEDIUM] CWE-79 Magento 2 Community Edition Cross-site Scripting Vulnerability
Magento 2 Community Edition Cross-site Scripting Vulnerability
A stored cross-site scripting vulnerability exists in the product catalog form of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to the product catalog to inject malicious javascript.
ghsaosv
CVE-2019-8117P4MEDIUM≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8117 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability
Magento 2 Community Edition XSS Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticates user can inject arbitrary JavaScript code via product view id specification.
ghsaosv
CVE-2019-8157P4MEDIUM≥ 2.2, < 2.2.10≥ 2.3, < 2.3.2-p12022-05-24
CVE-2019-8157 [MEDIUM] CWE-79 Magento Cross-Site Scripting via admin panel
Magento Cross-Site Scripting via admin panel
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate downloadable link and cause an invocation of error handling that acceses user input without sanitization.
ghsaosv
CVE-2019-8147P4MEDIUM≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8147 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability
Magento 2 Community Edition XSS Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via customer attribute label.
ghsaosv
CVE-2019-8142P4MEDIUM≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8142 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability
Magento 2 Community Edition XSS Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via title of an order when configuring sales payment methods for a store.
ghsaosv