CVE-2019-7926: XSS
First published: Tue Jun 25 2019(Updated: )
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify node attributes to inject malicious javascript.
Credit: psirt@adobe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/magento/product-community-edition | >=2.1<2.1.18>=2.2<2.2.9>=2.3<2.3.2 | |
| composer/magento/community-edition | >=2.3.0<2.3.2 | 2.3.2 |
| composer/magento/community-edition | >=2.2.0<2.2.9 | 2.2.9 |
| composer/magento/community-edition | >=2.1.0<2.1.18 | 2.1.18 |
| CentOS Libgcc | >=2.1.0<2.1.18 | |
| CentOS Libgcc | >=2.2.0<2.2.9 | |
| CentOS Libgcc | >=2.3.0<2.3.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23
- https://nvd.nist.gov/vuln/detail/CVE-2019-7926
- https://web.archive.org/web/20220121051916/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23
- https://github.com/advisories/GHSA-525g-rvh4-v5c9 (Advisory)
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7926.yaml
Frequently Asked Questions
What is the severity of CVE-2019-7926?
CVE-2019-7926 has a medium severity level due to the potential for authenticated users to inject malicious JavaScript.
How do I fix CVE-2019-7926?
To fix CVE-2019-7926, upgrade Magento to version 2.1.18, 2.2.9, or 2.3.2 or later.
What versions of Magento are affected by CVE-2019-7926?
CVE-2019-7926 affects Magento 2.1 versions before 2.1.18, 2.2 versions before 2.2.9, and 2.3 versions before 2.3.2.
Who can exploit the vulnerability stated in CVE-2019-7926?
CVE-2019-7926 can be exploited by authenticated users who have privileges to modify node attributes.
What type of vulnerability is CVE-2019-7926?
CVE-2019-7926 is classified as a stored cross-site scripting (XSS) vulnerability.
- collector/friends-of-php
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-525g-rvh4-v5c9
- alias/CVE-2019-7926
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/references
- agent/description
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/magento
- canonical/centos libgcc
- version/centos libgcc/2.1.0
- version/centos libgcc/2.2.0
- version/centos libgcc/2.3.0