Description

A stored cross-site scripting vulnerability exists in the WYSIWYG editor of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the editor can inject malicious SWF files.

Remediation

References

CVE-2019-7882

Related Vulnerabilities

Oracle Database Server CVE-2006-5337 Vulnerability (CVE-2006-5337)

WordPress Plugin Carousel slideshow 'swfupload.swf' Cross-Site Scripting (3.10)

WordPress Plugin Clicky by Yoast Multiple Cross-Site Scripting Vulnerabilities (1.5)

WordPress Plugin FluentSMTP-WP Mail SMTP, Amazon SES, SendGrid, MailGun and Any SMTP Connector Cross-Site Scripting (2.2.4)

WordPress Plugin Content Control-User Access Restriction Cross-Site Scripting (1.1.9)

Severity

Medium

Classification

CVE-2019-7882 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities