Magento: >> Magento >> 2.2.8 Security Vulnerabilities
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-01-29
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.
CVSS Score
9.8
EPSS Score
0.173
Published
2020-01-29
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a path traversal vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVSS Score
5.3
EPSS Score
0.003
Published
2020-01-29
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a security bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
CVSS Score
9.8
EPSS Score
0.087
Published
2020-01-29
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft malicious payload in the template Name field for Email template in the "Design Configuration" dashboard.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-11-06
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into the attribute set name when listing the products.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-11-06
A server-side request forgery (SSRF) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to modify store configurations can manipulate the connector api endpoint to enable remote code execution.
CVSS Score
7.2
EPSS Score
0.011
Published
2019-11-06
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate downloadable link and cause an invocation of error handling that acceses user input without sanitization.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-11-06
An XPath entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An attacker can craft a GET request to page cache block rendering module that gets passed to XML data processing engine without validation. The crafted key/value GET request data allows an attacker to limited access to underlying XML data.
CVSS Score
9.8
EPSS Score
0.002
Published
2019-11-06
In Magento prior to 1.9.4.3, Magento prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, and Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an authenticated user with administrative privileges for the import feature can execute arbitrary code through a race condition that allows webserver configuration file modification.
CVSS Score
6.6
EPSS Score
0.001
Published
2019-11-06