CVE-2019-7139: XSS
First published: Tue Mar 26 2019(Updated: )
An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage. This issue is fixed in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
Credit: psirt@adobe.com psirt@adobe.com psirt@adobe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/magento/magento1ee | >=1.9.0.0<1.14.4.1 | |
| composer/magento/magento1ce | >=1.5.0.0<1.9.4.1 | |
| composer/magento/product-community-edition | >=2.1<2.1.18 | |
| Magento Magento | <1.9.4.1 | |
| Magento Magento | >=1.14.0.0<1.14.4.1 | |
| Magento Magento | >=2.1.0<2.1.17 | |
| Magento Magento | >=2.1.0<2.1.17 | |
| Magento Magento | >=2.2.0<2.2.8 | |
| Magento Magento | >=2.2.0<2.2.8 | |
| Magento Magento | >=2.3.0<2.3.1 | |
| Magento Magento | >=2.3.0<2.3.1 | |
| composer/magento/community-edition | >=2.3.0<2.3.2 | 2.3.2 |
| composer/magento/community-edition | >=2.2.0<2.2.9 | 2.2.9 |
| composer/magento/community-edition | >=2.1.0<2.1.18 | 2.1.18 |
| <1.9.4.1 | ||
| >=1.14.0.0<1.14.4.1 | ||
| >=2.1.0<2.1.17 | ||
| >=2.1.0<2.1.17 | ||
| >=2.2.0<2.2.8 | ||
| >=2.2.0<2.2.8 | ||
| >=2.3.0<2.3.1 | ||
| >=2.3.0<2.3.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://magento.com/security/patches/supee-11086
- https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13
- https://nvd.nist.gov/vuln/detail/CVE-2019-7139
- https://www.ambionics.io/blog/magento-sqli
- https://web.archive.org/web/20211206084839/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13
- https://github.com/advisories/GHSA-4j6w-9rf8-hg7r (Advisory)
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ce/CVE-2019-7139.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ee/CVE-2019-7139.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7139.yaml
- collector/friends-of-php
- collector/nvd-index
- agent/author
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-4j6w-9rf8-hg7r
- alias/CVE-2019-7139
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- agent/weakness
- agent/severity
- agent/references
- agent/description
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/nvd-api
- package-manager/composer
- vendor/magento
- canonical/magento magento
- version/magento magento/1.14.0.0
- version/magento magento/2.1.0
- version/magento magento/2.2.0
- version/magento magento/2.3.0