Magento Community-Edition vulnerabilities
355 known vulnerabilities affecting magento/community-edition.
Total CVEs
355
CISA KEV
3
actively exploited
Public exploits
4
Exploited in wild
3
Severity breakdown
CRITICAL41HIGH105MEDIUM192LOW17
Vulnerabilities
Page 17 of 18
CVE-2019-8107MEDIUM≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8107 [MEDIUM] Magento 2 Community Edition Arbitrary File Deletion
Magento 2 Community Edition Arbitrary File Deletion
An arbitrary file deletion vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with export data transfer privileges can craft a request to perform arbitrary file deletion.
ghsaosv
CVE-2020-9692MEDIUM≥ 0, < 2.3.5-p22022-05-24
CVE-2020-9692 [MEDIUM] CWE-863 Magento security mitigation bypass vulnerability
Magento security mitigation bypass vulnerability
Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2019-8152MEDIUM≥ 2.2.0, < 2.2.10≥ 2.3, < 2.3.2-p22022-05-24
CVE-2019-8152 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability
Magento 2 Community Edition XSS Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to the wysiwyg editor can abuse the `blockDirective()` function and inject malicious javascript in the cache of the admin dashboard.
As per [the Magento Release 2.3.3](h
ghsaosv
CVE-2020-3758MEDIUM≥ 2.3.0, < 2.3.4≥ 0, < 2.2.112022-05-24
CVE-2020-3758 [MEDIUM] CWE-79 Magento stored cross-site scripting vulnerability
Magento stored cross-site scripting vulnerability
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
ghsaosv
CVE-2019-8148MEDIUM≥ 2.3.0, < 2.3.2-p22022-05-24
CVE-2019-8148 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability
Magento 2 Community Edition XSS Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when creating a content page via page builder.
As per [the Magento Release 2.3.3](https://web.archive.org/web/20201126132230/https://devdocs.magento.com/guides/v2.3/release-notes/release-notes-2-3-3-commerce.htm
ghsaosv
CVE-2019-7882MEDIUM≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7882 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability
Magento 2 Community Edition XSS Vulnerability
A stored cross-site scripting vulnerability exists in the WYSIWYG editor of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the editor can inject malicious SWF files.
ghsaosv
CVE-2020-9577MEDIUM≥ 0, < 2.3.4-p22022-05-24
CVE-2020-9577 [MEDIUM] CWE-79 Magento stored cross-site scripting vulnerability
Magento stored cross-site scripting vulnerability
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure .
ghsaosv
CVE-2019-8090MEDIUM≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.32022-05-24
CVE-2019-8090 [MEDIUM] Magento 2 Community Edition Arbitrary File Deletion
Magento 2 Community Edition Arbitrary File Deletion
An arbitrary file deletion vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated users can manipulate the design layout update feature.
ghsaosv
CVE-2021-36012MEDIUM≥ 0, < 2.3.7-p1≥ 2.4.2-p1, < 2.4.2-p22022-05-24
CVE-2021-36012 [MEDIUM] Magento affected by a business logic error in the placeOrder graphql mutation
Magento affected by a business logic error in the placeOrder graphql mutation
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a business logic error in the placeOrder graphql mutation. An authenticated attacker can leverage this vulnerability to altar the price of an item.
ghsaosv
CVE-2019-7887MEDIUM≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7887 [MEDIUM] CWE-79 Magento 2 Community Edition Cross-site Scripting Vulnerability
Magento 2 Community Edition Cross-site Scripting Vulnerability
A reflected cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 when the feature that adds a secret key to the Admin URL is disabled.
ghsaosv
CVE-2020-24405MEDIUM≥ 0, < 2.3.6≥ 2.4.0, < 2.4.12022-05-24
CVE-2020-24405 [MEDIUM] CWE-285 Magento incorrect permissions vulnerability in the Inventory module
Magento incorrect permissions vulnerability in the Inventory module
Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions issue vulnerability in the Inventory module. This vulnerability could be abused by authenticated users to modify inventory stock data without authorization.
ghsaosv
CVE-2019-8123MEDIUM≥ 2.1.0, < 2.1.19≥ 2.2.0, < 2.2.10+1 more2022-05-24
CVE-2019-8123 [MEDIUM] CWE-778 Magento 2 Community Edition Insufficient Logging
Magento 2 Community Edition Insufficient Logging
An insufficient logging and monitoring vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. The logging feature required for effective monitoring did not contain sufficent data to effectively track configuration changes.
As per [the Magento Release 2.3.3](https://web.arch
ghsaosv
CVE-2020-9581MEDIUM≥ 0, ≤ 2.2.11≥ 2.3.0, < 2.3.4-p22022-05-24
CVE-2020-9581 [MEDIUM] CWE-79 Magento stored cross-site scripting vulnerability
Magento stored cross-site scripting vulnerability
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
ghsaosv
CVE-2019-7899MEDIUM≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7899 [MEDIUM] CWE-20 Magento 2 Community Edition Information Disclosure
Magento 2 Community Edition Information Disclosure
Names of disabled downloadable products could be disclosed due to inadequate validation of user input in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
ghsaosv
CVE-2019-7877MEDIUM≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7877 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability
Magento 2 Community Edition XSS Vulnerability
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manage orders can inject malicious javascript.
ghsaosv
CVE-2019-7872MEDIUM≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7872 [MEDIUM] CWE-285 Magento Insufficient authorization check when adding users to company accounts
Magento Insufficient authorization check when adding users to company accounts
An insecure direct object reference (IDOR) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to insufficient authorizations checks. This can be abused by a user with admin privileges to add users to company accounts or modify existing user details.
ghsaosv
CVE-2019-8128MEDIUM≥ 2.2, < 2.2.10≥ 2.3, < 2.3.2-p12022-05-24
CVE-2019-8128 [MEDIUM] CWE-79 Magento Cross-Site Scripting via store name
Magento Cross-Site Scripting via store name
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting malicious Javascript into the name of main website.
ghsaosv
CVE-2021-36026MEDIUM≥ 0, < 2.3.7-p1≥ 2.4.2-p1, < 2.4.2-p22022-05-24
CVE-2021-36026 [MEDIUM] CWE-79 Magento stored cross-site scripting vulnerability in the customer address upload feature
Magento stored cross-site scripting vulnerability in the customer address upload feature
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability in the customer address upload feature that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Mali
ghsaosv
CVE-2021-21032MEDIUM≥ 2.4.0, < 2.4.1-p1≥ 0, < 2.3.62022-05-24
CVE-2021-21032 [MEDIUM] CWE-613 Magento Insufficient Session Expiration
Magento Insufficient Session Expiration
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation.
ghsaosv
CVE-2019-8120MEDIUM≥ 2.1.0, < 2.1.19≥ 2.2.0, < 2.2.10+1 more2022-05-24
CVE-2019-8120 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability
Magento 2 Community Edition XSS Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user can inject arbitrary Javascript code by manipulating section of a POST request related to customer's email address.
ghsaosv