Description

A stored cross-site scripting vulnerability exists in the WYSIWYG editor of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the editor can inject malicious SWF files.

Remediation

References

CVE-2019-7882

Related Vulnerabilities

WordPress Plugin Appointment Calendar Multiple Cross-Site Scripting Vulnerabilities (2.7.4)

WordPress Plugin Complete Gallery Manager for WordPress Arbitrary File Upload (3.3.3)

Joomla Improper Access Control Vulnerability (CVE-2016-9838)

WordPress Plugin WP JS Cross-Site Scripting (2.0.6)

Oracle Database Server CVE-2019-2516 Vulnerability (CVE-2019-2516)

Severity

Medium

Classification

CVE-2019-7882 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities