Description
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user can inject arbitrary Javascript code by manipulating section of a POST request related to customer's email address.
Remediation
References
Related Vulnerabilities
WebLogic Uncontrolled Resource Consumption Vulnerability (CVE-2025-30753)
axios Uncontrolled Resource Consumption Vulnerability (CVE-2026-39865)
WordPress Plugin OAuth Single Sign On-SSO (OAuth Client) Cross-Site Scripting (6.20.2)
WordPress Plugin MDC YouTube Downloader Local File Inclusion (2.1.0)