magento/community-edition
Packagist353 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting magento/community-editionpage 2 of 8
- CVE-2019-7913HIGHCVSS 7.2EG 7.2✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A server-side request forgery (SSRF) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with admin privileges to manipulate shipment m…
- CVE-2019-7915HIGHCVSS 7.5EG 7.5✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A denial-of-service vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Under certain conditions, an unauthenticated attacker could force the Magento store's full page cache to serve…
- CVE-2019-7921MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A stored cross-site scripting vulnerability exists in the product catalog form of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to the …
- CVE-2019-7923HIGHCVSS 7.2EG 7.2✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A server-side request forgery (SSRF) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by authenticated user with admin privileges to manipulate shipment sett…
- CVE-2019-7925MEDIUMCVSS 4.9EG 4.9✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
An insecure direct object reference (IDOR) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an administrator with limited privileges to delete the downloa…
- CVE-2019-7926MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify node a…
- CVE-2019-7927MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to edit product …
- CVE-2019-7928HIGHCVSS 7.5EG 7.5✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A denial-of-service (DoS) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. By abusing insufficient brute-forcing defenses in the token exchange protocol, an unauthenticated attack…
- CVE-2019-7929MEDIUMCVSS 4.9EG 4.9✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
An information leakage vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges may be able to view metadata of a trusted device used b…
- CVE-2019-7930HIGHCVSS 7.2EG 7.2✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A file upload restriction bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to the import feature can make modifications to a configura…
- CVE-2019-7932HIGHCVSS 7.2EG 7.2✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A remote code execution vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with a…
- CVE-2019-7934MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Thi…
- CVE-2019-7935MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Thi…
- CVE-2019-7936MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.1.182019-08-02
vulnerable: 2.1.0 ... 2.1.9 (18 versions)
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify conten…
- CVE-2019-7937MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to store product…
- CVE-2019-7938MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Thi…
- CVE-2019-7939MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A reflected cross-site scripting vulnerability exists on the customer cart checkout page of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by sending a victim a crafted URL that…
- CVE-2019-7942HIGHCVSS 7.2EG 7.2✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create or edit a product can execute arbitrary code via mal…
- CVE-2019-7944MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A stored cross-site scripting vulnerability exists in the product comments field of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to…
- CVE-2019-7945MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A stored cross-cite scripting vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user …
- CVE-2019-7947MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A cross-site request forgery vulnerability exists in the GiftCardAccount removal feature for Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3…
- CVE-2019-7950HIGHCVSS 7.5EG 7.5✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
An access control bypass vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An unauthenticated user can bypass access controls via REST API calls to assign themselves to an arbitrar…
- CVE-2019-7951HIGHCVSS 7.5EG 7.5✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
An information leakage vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A SOAP web service endpoint does not properly enforce parameters related to access control. This could be a…
- CVE-2019-8090MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.3.32019-11-05
vulnerable: 2.3.0, 2.3.1, 2.3.2, 2.3.2-p2
An arbitrary file deletion vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated users can manipulate the design layout update feature.
- CVE-2019-8092MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.3.2-p12019-11-05
vulnerable: 2.3.0, 2.3.1, 2.3.2
A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via email template preview.
- CVE-2019-8093HIGHCVSS 8.8EG 8.8✓ Fixed in 2.3.2-p12019-11-05
vulnerable: 2.3.0, 2.3.1, 2.3.2
An arbitrary file access vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage file upload controller for downloadable products to read/delete an arbitary files.
- CVE-2019-8107MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.3.2-p12019-11-05
vulnerable: 2.3.0, 2.3.1, 2.3.2
An arbitrary file deletion vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with export data transfer privileges can craft a request to perform arbitrary file deletion.
- CVE-2019-8108MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.3.2-p22019-11-05
vulnerable: 2.3.0, 2.3.1, 2.3.2
Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate session validation setting for a storefront that leads to inse…
- CVE-2019-8109HIGHCVSS 8.0EG 8.0✓ Fixed in 2.3.2-p12019-11-05
vulnerable: 2.3.0, 2.3.1, 2.3.2
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft a malicious CSRF payload that can result in arbitrary command execution.
- CVE-2019-8110HIGHCVSS 8.8EG 8.8✓ Fixed in 2.3.2-p12019-11-05
vulnerable: 2.3.0, 2.3.1, 2.3.2
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage email templates hierarchy to manipulate the interceptor class in a way that allows an a…
- CVE-2019-8111HIGHCVSS 8.8EG 8.8✓ Fixed in 2.3.2-p12019-11-05
vulnerable: 2.3.0, 2.3.1, 2.3.2
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage plugin functionality related to email templates to manipulate the interceptor class in …
- CVE-2019-8112HIGHCVSS 7.5EG 7.5✓ Fixed in 2.3.2-p12019-11-05
vulnerable: 2.3.0, 2.3.1, 2.3.2
A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can bypass the email confirmation mechanism via GET request that captures relevant account data obtained…
- CVE-2019-8113MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.3.2-p12019-11-05
vulnerable: 2.3.0, 2.3.1, 2.3.2
Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 uses cryptographically weak random number generator to brute-force the confirmation code for customer registration.
- CVE-2019-8114HIGHCVSS 7.2EG 7.2✓ Fixed in 2.3.2-p22019-11-05
vulnerable: 2.3.0, 2.3.1, 2.3.2
A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to import features can execute arbitr…
- CVE-2019-8115MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.3.2-p12019-11-05
vulnerable: 2.3.0, 2.3.1, 2.3.2
A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when adding an image for during simple pro…
- CVE-2019-8117MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.3.2-p12019-11-05
vulnerable: 2.3.0, 2.3.1, 2.3.2
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticates user can inject arbitrary JavaScript code via product view id specification.
- CVE-2019-8118MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.3.32019-11-05
vulnerable: 2.3.0, 2.3.1, 2.3.2, 2.3.2-p2
Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 uses weak cryptographic function to store the failed login attempts for customer accounts.
- CVE-2019-8119HIGHCVSS 7.2EG 7.2✓ Fixed in 2.3.32019-11-05
vulnerable: 2.3.0, 2.3.1, 2.3.2, 2.3.2-p2
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated admin user with import product privileges can delete files through bulk product import a…
- CVE-2019-8120MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.3.32019-11-05
vulnerable: 2.3.0, 2.3.1, 2.3.2, 2.3.2-p2
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user can inject arbitrary Javascript code by manipulating section of a POST …
- CVE-2019-8121CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.3.32019-11-05
vulnerable: 2.3.0, 2.3.1, 2.3.2, 2.3.2-p2
An insecure component vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Magento 2 codebase leveraged outdated versions of JS libraries (Bootstrap, jquery, Knockout) with known sec…
- CVE-2019-8122HIGHCVSS 8.8EG 8.8✓ Fixed in 2.3.32019-11-05
vulnerable: 2.3.0, 2.3.1, 2.3.2, 2.3.2-p2
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with privileges to create products can craft custom layout update and use import pr…
- CVE-2019-8123MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.3.32019-11-05
vulnerable: 2.3.0, 2.3.1, 2.3.2, 2.3.2-p2
An insufficient logging and monitoring vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. The logging feature required for effective monito…
- CVE-2019-8124MEDIUMCVSS 4.9EG 4.9✓ Fixed in 2.3.32019-11-05
vulnerable: 2.3.0, 2.3.1, 2.3.2, 2.3.2-p2
An insufficient logging and monitoring vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Failure to track admin actions related to design configuration could lead to repudiation a…
- CVE-2019-8126MEDIUMCVSS 4.9EG 4.9✓ Fixed in 2.3.2-p22019-11-05
vulnerable: 2.3.0, 2.3.1, 2.3.2
An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document ty…
- CVE-2019-8127HIGHCVSS 8.8EG 8.8✓ Fixed in 2.3.2-p22019-11-05
vulnerable: 2.3.0, 2.3.1, 2.3.2
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to an account with Newsletter Template editing permission could exfiltrate the Admin login d…
- CVE-2019-8128MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.3.2-p12019-11-06
vulnerable: 2.3.0, 2.3.1, 2.3.2
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting malicious Javascript into the name of main website.
- CVE-2019-8129MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.3.2-p22019-11-06
vulnerable: 2.3.0, 2.3.1, 2.3.2
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting an embedded expression into a translation.
- CVE-2019-8130HIGHCVSS 8.8EG 8.8✓ Fixed in 2.3.2-p12019-11-06
vulnerable: 2.3.0, 2.3.1, 2.3.2
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with store manipulation privileges can execute arbitrary SQL queries by getting access to the database connection through g…
- CVE-2019-8131MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.3.2-p12019-11-06
vulnerable: 2.3.0, 2.3.1, 2.3.2
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into code field of an inventory source.
- CVE-2019-8132MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.3.2-p12019-11-06
vulnerable: 2.3.0, 2.3.1, 2.3.2
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft malicious payload in the template Name field for Email template in the "Design…
Check whether magento/community-edition is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for magento/community-edition CVEs against the assets you own.
Start Free Scan →