CVE-2019-7935: XSS
First published: Tue Jun 25 2019(Updated: )
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify content page titles to inject malicious javascript.
Credit: psirt@adobe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/magento/magento1ee | >=1<1.14.4.2 | |
| composer/magento/magento1ce | >=1<1.9.4.2 | |
| composer/magento/product-community-edition | >=2.1<2.1.18>=2.2<2.2.9>=2.3<2.3.2 | |
| composer/magento/community-edition | >=2.3<2.3.2 | 2.3.2 |
| composer/magento/community-edition | >=2.2<2.2.9 | 2.2.9 |
| composer/magento/community-edition | >=2.1<2.1.18 | 2.1.18 |
| CentOS Libgcc | <1.9.4.2 | |
| CentOS Libgcc | <1.14.4.2 | |
| CentOS Libgcc | >=2.1.0<2.1.18 | |
| CentOS Libgcc | >=2.2.0<2.2.9 | |
| CentOS Libgcc | >=2.3.0<2.3.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23
- https://nvd.nist.gov/vuln/detail/CVE-2019-7935
- https://web.archive.org/web/20220121051916/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23
- https://github.com/advisories/GHSA-5c4g-p858-498x (Advisory)
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ce/CVE-2019-7935.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ee/CVE-2019-7935.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7935.yaml
Frequently Asked Questions
What is the severity of CVE-2019-7935?
CVE-2019-7935 has a medium severity rating due to the potential for stored cross-site scripting in the Magento admin panel.
How do I fix CVE-2019-7935?
To fix CVE-2019-7935, upgrade to Magento Open Source version 1.9.4.2 or higher, or to Magento Commerce version 1.14.4.2 or higher.
Which versions are affected by CVE-2019-7935?
CVE-2019-7935 affects Magento Open Source versions prior to 1.9.4.2 and Magento Commerce versions prior to 1.14.4.2.
Can authenticated users exploit CVE-2019-7935?
Yes, authenticated users with appropriate privileges can exploit the stored cross-site scripting vulnerability in CVE-2019-7935.
What type of vulnerability is CVE-2019-7935?
CVE-2019-7935 is categorized as a stored cross-site scripting vulnerability specifically affecting the Magento admin panel.
- collector/friends-of-php
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-5c4g-p858-498x
- alias/CVE-2019-7935
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/weakness
- agent/description
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/magento
- canonical/centos libgcc
- version/centos libgcc/2.1.0
- version/centos libgcc/2.2.0
- version/centos libgcc/2.3.0