Description
A stored cross-site scripting vulnerability exists in the product comments field of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the Return Product comments field can inject malicious javascript.
Remediation
References
Related Vulnerabilities
WordPress Plugin Yasr-Yet Another Stars Rating PHP Object Injection (1.8.6)
Grafana Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2026-28383)
WordPress Plugin Quick Contact Form Cross-Site Scripting (6.0)
IBM RTC CVE-2018-1694 Vulnerability (CVE-2018-1694)
Jenkins Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-1000399)