Vulnerabilities > Magento

DATE CVE VULNERABILITY TITLE RISK
2020-06-26 CVE-2020-9577 Cross-site Scripting vulnerability in Magento
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability.
network
magento CWE-79
4.3
2020-06-26 CVE-2020-9576 OS Command Injection vulnerability in Magento
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability.
network
low complexity
magento CWE-78
7.5
2020-03-09 CVE-2014-1634 SQL Injection vulnerability in Magento Advanced Newsletter 2.3.4
SQL Injection exists in Advanced Newsletter Magento extension before 2.3.5 via the /store/advancednewsletter/index/subscribeajax/an_category_id/ PATH_INFO.
network
low complexity
magento CWE-89
critical
10.0
2020-01-29 CVE-2020-3758 Cross-site Scripting vulnerability in Magento
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a stored cross-site scripting vulnerability.
network
magento CWE-79
4.3
2020-01-29 CVE-2020-3719 SQL Injection vulnerability in Magento
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have an sql injection vulnerability.
network
low complexity
magento CWE-89
7.8
2020-01-29 CVE-2020-3718 Unspecified vulnerability in Magento
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a security bypass vulnerability.
network
low complexity
magento
critical
10.0
2020-01-29 CVE-2020-3717 Path Traversal vulnerability in Magento
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a path traversal vulnerability.
network
low complexity
magento CWE-22
5.0
2020-01-29 CVE-2020-3716 Deserialization of Untrusted Data vulnerability in Magento
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a deserialization of untrusted data vulnerability.
network
low complexity
magento CWE-502
critical
10.0
2020-01-29 CVE-2020-3715 Cross-site Scripting vulnerability in Magento
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a stored cross-site scripting vulnerability.
network
magento CWE-79
4.3
2020-01-15 CVE-2015-6497 Improper Input Validation vulnerability in Magento 1.14.1.0/1.9.1.0
The create function in app/code/core/Mage/Catalog/Model/Product/Api/V2.php in Magento Community Edition (CE) before 1.9.2.1 and Enterprise Edition (EE) before 1.14.2.1, when used with PHP before 5.4.24 or 5.5.8, allows remote authenticated users to execute arbitrary PHP code via the productData parameter to index.php/api/v2_soap.
network
low complexity
magento php CWE-20
6.5