cbcvebase.

Magento Community-Edition vulnerabilities

355 known vulnerabilities affecting magento/community-edition.

Total CVEs
355
CISA KEV
3
actively exploited
Public exploits
4
Exploited in wild
5
Severity breakdown
CRITICAL41HIGH105MEDIUM192LOW17

Vulnerabilities

Page 17 of 18
CVE-2019-7934P4MEDIUM≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7934 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to edit newsletter templates to inject malicious javascript.
ghsaosv
CVE-2019-7908P4MEDIUM≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7908 [MEDIUM] CWE-79 Magento Cross-site Scripting in the admin panel Magento Cross-site Scripting in the admin panel A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify product information.
ghsaosv
CVE-2019-7866P4MEDIUM≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7866 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to edit Product information via the TinyMCE editor.
ghsaosv
CVE-2019-7927P4MEDIUM≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7927 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to edit product content pages to inject malicious javascript.
ghsaosv
CVE-2019-7935P4MEDIUM≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7935 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify content page titles to inject malicious javascript.
ghsaosv
CVE-2019-7936P4MEDIUM≥ 2.3.0, < 2.3.2≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7936 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify content block titles to inject malicious javascript.
ghsaosv
CVE-2019-7880P4MEDIUM≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7880 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to marketing email templates to inject malicious javascript.
ghsaosv
CVE-2019-7863P4MEDIUM≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7863 [MEDIUM] CWE-79 Magento Stored cross-site scripting in admin panel Magento Stored cross-site scripting in admin panel A stored cross-site scripting vulnerability exists in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to products and categories.
ghsaosv
CVE-2019-7869P4MEDIUM≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7869 [MEDIUM] CWE-79 Magento Stored Cross-site Scripting vulnerability in the admin panel Magento Stored Cross-site Scripting vulnerability in the admin panel A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with permissions to manage customer groups.
ghsaosv
CVE-2019-7868P4MEDIUM≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7868 [MEDIUM] CWE-79 Magento Cross-site Scripting in the admin panel Magento Cross-site Scripting in the admin panel A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with permissions to manage tax rules.
ghsaosv
CVE-2019-7937P4MEDIUM≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7937 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to store product attributes to inject malicious javascript.
ghsaosv
CVE-2019-7926P4MEDIUM≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7926 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify node attributes to inject malicious javascript.
ghsaosv
CVE-2019-7867P4MEDIUM≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7867 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to manage orders and order status.
ghsaosv
CVE-2019-7887P4MEDIUM≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7887 [MEDIUM] CWE-79 Magento 2 Community Edition Cross-site Scripting Vulnerability Magento 2 Community Edition Cross-site Scripting Vulnerability A reflected cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 when the feature that adds a secret key to the Admin URL is disabled.
ghsaosv
CVE-2024-39409P4MEDIUM≥ 2.4.7-p1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14
CVE-2024-39409 [MEDIUM] CWE-352 Magento Open Source Cross-Site Request Forgery (CSRF) vulnerability Magento Open Source Cross-Site Request Forgery (CSRF) vulnerability Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could allow an attacker to bypass security features and perform minor unauthorised actions on behalf of a user. The vulnerability could be exploited by tricking a victim into click
ghsaosv
CVE-2019-8115P4MEDIUM≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8115 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when adding an image for during simple product creation.
ghsaosv
CVE-2019-8148P4MEDIUM≥ 2.3.0, < 2.3.2-p22022-05-24
CVE-2019-8148 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when creating a content page via page builder. As per [the Magento Release 2.3.3](https://web.archive.org/web/20201126132230/https://devdocs.magento.com/guides/v2.3/release-notes/release-notes-2-3-3-commerce.htm
ghsaosv
CVE-2025-24429P4LOW≥ 2.4.7-beta1, < 2.4.7-p4≥ 2.4.6-p1, < 2.4.6-p9+2 more2025-02-11
CVE-2025-24429 [LOW] CWE-284 Magento Improper Access Control vulnerability Magento Improper Access Control vulnerability Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2019-7873P4MEDIUM≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7873 [MEDIUM] CWE-352 Magento 2 Community Edition Cross-site Scripting Vulnerability Magento 2 Community Edition Cross-site Scripting Vulnerability A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can result in unintended deletion of the store design schedule.
ghsaosv
CVE-2020-9690P4MEDIUM≥ 0, < 2.3.5-p22022-05-24
CVE-2020-9690 [MEDIUM] CWE-203 Magento observable timing discrepancy vulnerability Magento observable timing discrepancy vulnerability Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.
ghsaosv
Magento Community-Edition vulnerabilities | cvebase