Magento Community-Edition vulnerabilities

CVE-2019-8131 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into code field of an inventory source.

CVE-2019-7944 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting vulnerability exists in the product comments field of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the Return Product comments field can inject malicious javascript.

CVE-2021-21027 [MEDIUM] CWE-352 Magento cross-site request forgery (CSRF) vulnerability via the GraphQL API Magento cross-site request forgery (CSRF) vulnerability via the GraphQL API Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via the GraphQL API. Successful exploitation could lead to unauthorized modification of customer metadata by an unauthenticated attacker. Access to the admin consol

CVE-2021-28563 [MEDIUM] CWE-285 Magento Unauthorized access to restricted resources Magento Unauthorized access to restricted resources Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper Authorization vulnerability via the 'Create Customer' endpoint. Successful exploitation could lead to unauthorized modification of customer data by an unauthenticated attacker. Access to the admin console is required for successful exploitation.

CVE-2019-7868 [MEDIUM] CWE-79 Magento Cross-site Scripting in the admin panel Magento Cross-site Scripting in the admin panel A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with permissions to manage tax rules.

CVE-2019-7937 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to store product attributes to inject malicious javascript.

CVE-2021-28556 [MEDIUM] CWE-79 Magento DOM-based Cross-Site Scripting vulnerability on mage-messages cookies Magento DOM-based Cross-Site Scripting vulnerability on mage-messages cookies Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a DOM-based Cross-Site Scripting vulnerability on mage-messages cookies. Successful exploitation could lead to arbitrary JavaScript execution by an unauthenticated attacker. User interaction is required for s

CVE-2019-7881 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A cross-site scripting mitigation bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user to escalate privileges (admin vs. admin XSS attack).

CVE-2021-21031 [MEDIUM] CWE-613 Magento Insufficient Session Expiration Magento Insufficient Session Expiration Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation.

CVE-2019-7853 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to the tax notifications configuration in the Magento admin panel.

CVE-2019-7875 [MEDIUM] CWE-79 Magento 2 Community Edition Cross-site Scripting Vulnerability Magento 2 Community Edition Cross-site Scripting Vulnerability A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to newsletter templates.

CVE-2019-7898 [MEDIUM] CWE-20 Magento 2 Community Edition Information Disclosure Magento 2 Community Edition Information Disclosure Samples of disabled downloadable products are accessible in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to inadequate validation of user input.

CVE-2021-28567 [MEDIUM] CWE-285 Magento Improper Authorization vulnerability in the customers module Magento Improper Authorization vulnerability in the customers module Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Improper Authorization vulnerability in the customers module. Successful exploitation could allow a low-privileged user to modify customer data. Access to the admin console is required for successful exploitation.

CVE-2021-21020 [MEDIUM] CWE-284 Magento Improper Access Control Magento Improper Access Control Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an access control bypass vulnerability in the Login as Customer module. Successful exploitation could lead to unauthorized access to restricted resources.

CVE-2019-7926 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify node attributes to inject malicious javascript.

CVE-2019-7867 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to manage orders and order status.

CVE-2020-9690 [MEDIUM] CWE-203 Magento observable timing discrepancy vulnerability Magento observable timing discrepancy vulnerability Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.

CVE-2020-24408 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by a persistent XSS vulnerability that allows users to upload malicious JavaScript via the file upload component. This vulnerability could be abused by an unauthenticated attacker to execute XSS attacks against other Magento users. This vulnerability requires a victim to browse to the uploaded file.

CVE-2019-8146 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code when adding a new customer attribute for stores. As per [the Magento Release 2.3.3](https://web.archive.org/web/20201126132230/https://devdocs.magento.com/guides/v2.3/release-notes/release

CVE-2019-7851 [MEDIUM] CWE-352 Magento 2 Community Edition CSRF vulnerability Magento 2 Community Edition CSRF vulnerability A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unintended data deletion from customer pages.