Description
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can execute arbitrary JavaScript code by providing arbitrary API endpoint that will not be chcecked by sale pickup event.
Remediation
References
Related Vulnerabilities
LimeSurvey Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2007-5573)
WordPress Plugin Code Insert Manager (Q2W3 Inc Manager) ZeroClipboard Cross-Site Scripting (2.3.1)
WordPress 4.2.x Possible SQL Injection Vulnerability (4.2 - 4.2.16)
WordPress Plugin A2 Optimized WP Information Disclosure (2.0.10.8)