CVE-2019-7937: XSS
First published: Tue Jun 25 2019(Updated: )
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to store product attributes to inject malicious javascript.
Credit: psirt@adobe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/magento/product-community-edition | >=2.1<2.1.18>=2.2<2.2.9>=2.3<2.3.2 | |
| composer/magento/community-edition | >=2.3.0<2.3.2 | 2.3.2 |
| composer/magento/community-edition | >=2.2.0<2.2.9 | 2.2.9 |
| composer/magento/community-edition | >=2.1.0<2.1.18 | 2.1.18 |
| CentOS Libgcc | >=2.1.0<2.1.18 | |
| CentOS Libgcc | >=2.2.0<2.2.9 | |
| CentOS Libgcc | >=2.3.0<2.3.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13
- https://nvd.nist.gov/vuln/detail/CVE-2019-7937
- https://web.archive.org/web/20211206084839/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13
- https://github.com/advisories/GHSA-94fc-rxhv-vvf8 (Advisory)
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7937.yaml
Frequently Asked Questions
What is the severity of CVE-2019-7937?
CVE-2019-7937 has a medium severity rating due to its potential for exploitation through stored cross-site scripting.
How do I fix CVE-2019-7937?
To fix CVE-2019-7937, update your Magento version to 2.1.18, 2.2.9, or 2.3.2 or later.
Who is affected by CVE-2019-7937?
CVE-2019-7937 affects authenticated users of Magento 2.1 prior to 2.1.18, 2.2 prior to 2.2.9, and 2.3 prior to 2.3.2.
What type of vulnerability is CVE-2019-7937?
CVE-2019-7937 is a stored cross-site scripting (XSS) vulnerability.
Can exploited CVE-2019-7937 lead to data breaches?
Yes, exploitation of CVE-2019-7937 could potentially allow attackers to inject malicious JavaScript, leading to data theft or other attacks.
- collector/friends-of-php
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-94fc-rxhv-vvf8
- alias/CVE-2019-7937
- agent/software-canonical-lookup
- agent/weakness
- agent/references
- agent/severity
- agent/description
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/magento
- canonical/centos libgcc
- version/centos libgcc/2.1.0
- version/centos libgcc/2.2.0
- version/centos libgcc/2.3.0