Description

A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to manage orders and order status.

Remediation

References

CVE-2019-7867

Related Vulnerabilities

WordPress Plugin Import Spreadsheets from Microsoft Excel Arbitrary File Upload (10.1.4)

WordPress Deserialization of Untrusted Data Vulnerability (CVE-2020-36326)

Drupal Cryptographic Issues Vulnerability (CVE-2013-6386)

Grafana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-18624)

TYPO3 Cleartext Transmission of Sensitive Information Vulnerability (CVE-2022-31046)

Severity

Medium

Classification

CVE-2019-7867 CWE-707 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities