CVE-2019-7934: XSS
First published: Tue Jun 25 2019(Updated: )
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to edit newsletter templates to inject malicious javascript.
Credit: psirt@adobe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/magento/magento1ee | >=1<1.14.4.2 | |
| composer/magento/product-community-edition | >=2.1<2.1.18>=2.2<2.2.9>=2.3<2.3.2 | |
| composer/magento/magento1ce | >=1<1.9.4.2 | |
| composer/magento/community-edition | >=2.3.0<2.3.2 | 2.3.2 |
| composer/magento/community-edition | >=2.2.0<2.2.9 | 2.2.9 |
| composer/magento/community-edition | >=2.1.0<2.1.18 | 2.1.18 |
| CentOS Libgcc | <1.9.4.2 | |
| CentOS Libgcc | <1.14.4.2 | |
| CentOS Libgcc | >=2.1.0<2.1.18 | |
| CentOS Libgcc | >=2.2.0<2.2.9 | |
| CentOS Libgcc | >=2.3.0<2.3.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23
- https://nvd.nist.gov/vuln/detail/CVE-2019-7934
- https://web.archive.org/web/20220121051916/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23
- https://github.com/advisories/GHSA-77mv-p94f-qcq4 (Advisory)
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ce/CVE-2019-7934.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ee/CVE-2019-7934.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7934.yaml
Frequently Asked Questions
What is the severity of CVE-2019-7934?
CVE-2019-7934 is classified as a stored cross-site scripting vulnerability that poses a significant risk to affected Magento versions.
How do I fix CVE-2019-7934?
To fix CVE-2019-7934, upgrade your Magento installation to the latest versions: 1.9.4.2 for Magento Open Source, 1.14.4.2 for Magento Commerce, 2.1.18 for Magento 2.1, 2.2.9 for Magento 2.2, or 2.3.2 for Magento 2.3.
Which Magento versions are affected by CVE-2019-7934?
CVE-2019-7934 affects Magento Open Source versions prior to 1.9.4.2, Magento Commerce prior to 1.14.4.2, and various Magento 2.x versions prior to their respective secure releases.
Who can exploit CVE-2019-7934?
CVE-2019-7934 can be exploited by an authenticated user with sufficient privileges within the Magento admin panel.
What are the risks of not addressing CVE-2019-7934?
Failing to address CVE-2019-7934 leaves your Magento application vulnerable to cross-site scripting attacks, which can lead to data theft or unauthorized actions.
- collector/friends-of-php
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-77mv-p94f-qcq4
- alias/CVE-2019-7934
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/weakness
- agent/description
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/magento
- canonical/centos libgcc
- version/centos libgcc/2.1.0
- version/centos libgcc/2.2.0
- version/centos libgcc/2.3.0