Vulnerabilities > Magento

DATE CVE VULNERABILITY TITLE RISK
2019-11-06 CVE-2019-8158 XML Injection (aka Blind XPath Injection) vulnerability in Magento
An XPath entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1.
network
low complexity
magento CWE-91
7.5
7.5
2019-11-06 CVE-2019-8157 Cross-site Scripting vulnerability in Magento
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1.
network
magento CWE-79
3.5
3.5
2019-11-06 CVE-2019-8156 Server-Side Request Forgery (SSRF) vulnerability in Magento
A server-side request forgery (SSRF) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1.
network
low complexity
magento CWE-918
6.5
6.5
2019-11-06 CVE-2019-8145 Cross-site Scripting vulnerability in Magento
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1.
network
magento CWE-79
3.5
3.5
2019-11-06 CVE-2019-8132 Cross-site Scripting vulnerability in Magento
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1.
network
magento CWE-79
3.5
3.5
2019-11-06 CVE-2019-8233 Cross-site Scripting vulnerability in Magento
In Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an unauthenticated user can inject arbitrary JavaScript code as a result of the sanitization engine ignoring HTML comments.
network
magento CWE-79
4.3
4.3
2019-11-06 CVE-2019-8232 Race Condition vulnerability in Magento
In Magento prior to 1.9.4.3, Magento prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, and Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an authenticated user with administrative privileges for the import feature can execute arbitrary code through a race condition that allows webserver configuration file modification.
network
magento CWE-362
6.0
6.0
2019-11-06 CVE-2019-8231 Unspecified vulnerability in Magento
In Magento to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification.
network
low complexity
magento
6.5
6.5
2019-11-06 CVE-2019-8230 Unspecified vulnerability in Magento
In Magentoprior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit configuration settings can execute arbitrary code through a crafted support/output path.
network
low complexity
magento
6.5
6.5
2019-11-06 CVE-2019-8229 Unspecified vulnerability in Magento
In Magento prior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit product attributes can execute arbitrary code through crafted layout updates.
network
low complexity
magento
6.5
6.5