Description

A reflected cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 when the feature that adds a secret key to the Admin URL is disabled.

Remediation

References

CVE-2019-7887

Related Vulnerabilities

WordPress Plugin WP Maps-Display Google Maps Perfectly with Ease Cross-Site Request Forgery (4.2.3)

WordPress Plugin Login Logout Menu Multiple Cross-Site Scripting Vulnerabilities (1.3.3)

WordPress Plugin N-Media Website Contact Form with File Upload Arbitrary File Upload (2.1)

WordPress Plugin Ecommerce-Two Factor Authentication Cross-Site Scripting (1.0.4)

Moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2013-4941)

Severity

Medium

Classification

CVE-2019-7887 CWE-707 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities