CVE-2019-7945: XSS
First published: Tue Jun 25 2019(Updated: )
A stored cross-cite scripting vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to modify currency symbols can inject malicious javascript.
Credit: psirt@adobe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/magento/magento1ee | >=1<1.14.4.2 | |
| composer/magento/magento1ce | >=1<1.9.4.2 | |
| composer/magento/product-community-edition | >=2.1<2.1.18>=2.2<2.2.9>=2.3<2.3.2 | |
| composer/magento/community-edition | >=2.2.0<2.2.9 | 2.2.9 |
| composer/magento/community-edition | >=2.3.0<2.3.2 | 2.3.2 |
| composer/magento/community-edition | >=2.1.0<2.1.18 | 2.1.18 |
| CentOS Libgcc | <1.9.4.2 | |
| CentOS Libgcc | <1.14.4.2 | |
| CentOS Libgcc | >=2.1.0<2.1.18 | |
| CentOS Libgcc | >=2.2.0<2.2.9 | |
| CentOS Libgcc | >=2.3.0<2.3.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23
- https://nvd.nist.gov/vuln/detail/CVE-2019-7945
- https://web.archive.org/web/20220121051916/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23
- https://github.com/advisories/GHSA-c45w-p293-7cv6 (Advisory)
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ce/CVE-2019-7945.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ee/CVE-2019-7945.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7945.yaml
Frequently Asked Questions
What is the severity of CVE-2019-7945?
CVE-2019-7945 is categorized as a stored cross-site scripting vulnerability.
How do I fix CVE-2019-7945?
To fix CVE-2019-7945, you should upgrade Magento Open Source to version 1.9.4.2 or higher, or Magento Commerce to version 1.14.4.2 or higher.
Which Magento versions are affected by CVE-2019-7945?
CVE-2019-7945 affects Magento Open Source versions prior to 1.9.4.2 and Magento Commerce versions prior to 1.14.4.2.
Who is impacted by CVE-2019-7945?
Authenticated users with privileges to modify currency symbols are impacted by CVE-2019-7945.
Is it safe to continue using software affected by CVE-2019-7945?
No, it is not safe to continue using software affected by CVE-2019-7945 without applying the necessary updates.
- collector/friends-of-php
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-c45w-p293-7cv6
- alias/CVE-2019-7945
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/weakness
- agent/description
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/magento
- canonical/centos libgcc
- version/centos libgcc/2.1.0
- version/centos libgcc/2.2.0
- version/centos libgcc/2.3.0