CVE-2019-7139: XSS
First published: Tue Mar 26 2019(Updated: )
An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage. This issue is fixed in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
Credit: psirt@adobe.com psirt@adobe.com psirt@adobe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/magento/magento1ee | >=1.9.0.0<1.14.4.1 | |
| composer/magento/magento1ce | >=1.5.0.0<1.9.4.1 | |
| composer/magento/product-community-edition | >=2.1<2.1.18 | |
| composer/magento/community-edition | >=2.3.0<2.3.2 | 2.3.2 |
| composer/magento/community-edition | >=2.2.0<2.2.9 | 2.2.9 |
| composer/magento/community-edition | >=2.1.0<2.1.18 | 2.1.18 |
| CentOS Libgcc | <1.9.4.1 | |
| CentOS Libgcc | >=1.14.0.0<1.14.4.1 | |
| CentOS Libgcc | >=2.1.0<2.1.17 | |
| CentOS Libgcc | >=2.1.0<2.1.17 | |
| CentOS Libgcc | >=2.2.0<2.2.8 | |
| CentOS Libgcc | >=2.2.0<2.2.8 | |
| CentOS Libgcc | >=2.3.0<2.3.1 | |
| CentOS Libgcc | >=2.3.0<2.3.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://magento.com/security/patches/supee-11086
- https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13
- https://nvd.nist.gov/vuln/detail/CVE-2019-7139
- https://www.ambionics.io/blog/magento-sqli
- https://web.archive.org/web/20211206084839/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13
- https://github.com/advisories/GHSA-4j6w-9rf8-hg7r (Advisory)
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ce/CVE-2019-7139.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ee/CVE-2019-7139.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7139.yaml
Frequently Asked Questions
What is the severity of CVE-2019-7139?
CVE-2019-7139 has a critical severity rating due to its potential for sensitive data leakage.
How do I fix CVE-2019-7139?
To fix CVE-2019-7139, upgrade to Magento versions 2.1.18, 2.2.9, or 2.3.2 or later.
Which versions of Magento are affected by CVE-2019-7139?
CVE-2019-7139 affects Magento versions prior to 2.1.18, 2.2.9, and 2.3.2.
Is CVE-2019-7139 an authenticated or unauthenticated vulnerability?
CVE-2019-7139 is an unauthenticated vulnerability, allowing attackers to execute SQL statements.
What type of vulnerability is CVE-2019-7139 classified as?
CVE-2019-7139 is classified as an SQL injection vulnerability.
- collector/friends-of-php
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-4j6w-9rf8-hg7r
- alias/CVE-2019-7139
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/references
- agent/description
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-api
- collector/nvd-index
- package-manager/composer
- vendor/magento
- canonical/centos libgcc
- version/centos libgcc/1.14.0.0
- version/centos libgcc/2.1.0
- version/centos libgcc/2.2.0
- version/centos libgcc/2.3.0