Description
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft malicious payload in the template Name field for Email template in the "Design Configuration" dashboard.
Remediation
References
Related Vulnerabilities
Magento Improper Input Validation Vulnerability (CVE-2019-7898)
PHP Other Vulnerability (CVE-2006-4020)
ATutor Weak Password Recovery Mechanism for Forgotten Password Vulnerability (CVE-2021-43498)
WordPress Plugin Cart66 Lite::WordPress Ecommerce Multiple Vulnerabilities (1.5.1.14)
WordPress Plugin Stripe Payment for WooCommerce Security Bypass (3.7.9)