Vulnerabilities > Magento

DATE CVE VULNERABILITY TITLE RISK
2019-08-02 CVE-2019-7855 Cryptographic Issues vulnerability in Magento
A cryptograhic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could be abused by an unauthenticated user to discover an invariant used in gift card generation.
network
low complexity
magento CWE-310
5.0
2019-08-02 CVE-2019-7854 Authorization Bypass Through User-Controlled Key vulnerability in Magento
An insecure direct object reference (IDOR) vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unauthorized disclosure of company credit history details.
network
low complexity
magento CWE-639
5.0
2019-08-02 CVE-2019-7853 Cross-site Scripting vulnerability in Magento
A stored cross-site scripting vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
network
magento CWE-79
3.5
2019-08-02 CVE-2019-7852 Information Exposure vulnerability in Magento
A path disclosure vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
network
low complexity
magento CWE-200
5.0
2019-08-02 CVE-2019-7851 Cross-Site Request Forgery (CSRF) vulnerability in Magento
A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unintended data deletion from customer pages.
network
magento CWE-352
5.8
2019-08-02 CVE-2019-7849 Session Fixation vulnerability in Magento
A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules.
network
low complexity
magento CWE-384
5.0
2019-04-10 CVE-2019-7139 SQL Injection vulnerability in Magento
An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage.
network
low complexity
magento CWE-89
7.5
2018-01-08 CVE-2018-5301 Cross-Site Request Forgery (CSRF) vulnerability in Magento
Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have CSRF resulting in deletion of a customer address from an address book, aka APPSEC-1433.
network
magento CWE-352
5.8
2017-12-30 CVE-2016-10704 Cross-site Scripting vulnerability in Magento
Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have XSS via e-mail templates that are mishandled during a preview, aka APPSEC-1503.
network
magento CWE-79
4.3
2017-09-26 CVE-2015-8707 Information Exposure vulnerability in Magento
Password reset tokens in Magento CE before 1.9.2.2, and Magento EE before 1.14.2.2 are passed via a GET request and not canceled after use, which allows remote attackers to obtain user passwords via a crafted external service with access to the referrer field.
network
low complexity
magento CWE-200
5.0