CVE-2019-7940: XSS
First published: Tue Jun 25 2019(Updated: )
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify store currency options to inject malicious javascript.
Credit: psirt@adobe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/magento/magento1ee | >=1<1.14.4.2 | |
| composer/magento/product-community-edition | >=2.1<2.1.18>=2.2<2.2.9>=2.3<2.3.2 | |
| composer/magento/magento1ce | >=1<1.9.4.2 | |
| composer/magento/community-edition | >2.3.0<2.3.2 | 2.3.2 |
| composer/magento/community-edition | >=2.2.0<2.2.9 | 2.2.9 |
| composer/magento/community-edition | >=2.1.0<2.1.18 | 2.1.18 |
| CentOS Libgcc | <1.9.4.2 | |
| CentOS Libgcc | <1.14.4.2 | |
| CentOS Libgcc | >=2.1.0<2.1.18 | |
| CentOS Libgcc | >=2.2.0<2.2.9 | |
| CentOS Libgcc | >=2.3.0<2.3.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23
- https://nvd.nist.gov/vuln/detail/CVE-2019-7940
- https://web.archive.org/web/20220127030535/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-24
- https://github.com/advisories/GHSA-cgm7-gjhw-rrf6 (Advisory)
- https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-24
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ce/CVE-2019-7940.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ee/CVE-2019-7940.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7940.yaml
Frequently Asked Questions
What is the severity of CVE-2019-7940?
CVE-2019-7940 is classified as a stored cross-site scripting vulnerability.
How do I fix CVE-2019-7940?
To fix CVE-2019-7940, update Magento to versions 1.9.4.2, 1.14.4.2, 2.1.18, 2.2.9, or 2.3.2 or later.
Who can exploit CVE-2019-7940?
CVE-2019-7940 can be exploited by an authenticated user with privileges in the admin panel.
Which Magento versions are affected by CVE-2019-7940?
CVE-2019-7940 affects Magento Open Source versions prior to 1.9.4.2 and Commerce versions prior to 1.14.4.2, as well as Magento 2.1, 2.2, and 2.3 versions before specified patch levels.
What is the impact of CVE-2019-7940?
The impact of CVE-2019-7940 is the potential for an attacker to execute malicious scripts in the context of an authenticated user session.
- collector/friends-of-php
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-cgm7-gjhw-rrf6
- alias/CVE-2019-7940
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/references
- agent/description
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/magento
- canonical/centos libgcc
- version/centos libgcc/2.1.0
- version/centos libgcc/2.2.0
- version/centos libgcc/2.3.0