CVE-2019-8120: XSS
First published: Tue Oct 08 2019(Updated: )
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user can inject arbitrary Javascript code by manipulating section of a POST request related to customer's email address.
Credit: psirt@adobe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/magento/product-community-edition | >=2.2<2.2.10>=2.3<2.3.2-p2 | |
| composer/magento/community-edition | >=2.3.0<2.3.3 | 2.3.3 |
| composer/magento/community-edition | >=2.2.0<2.2.10 | 2.2.10 |
| composer/magento/community-edition | >=2.1.0<2.1.19 | 2.1.19 |
| CentOS Libgcc | >=2.1.0<2.1.19 | |
| CentOS Libgcc | >=2.1.0<2.1.19 | |
| CentOS Libgcc | >=2.2.0<2.2.10 | |
| CentOS Libgcc | >=2.2.0<2.2.10 | |
| CentOS Libgcc | >=2.3.0<=2.3.2 | |
| CentOS Libgcc | >=2.3.0<=2.3.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update
- https://nvd.nist.gov/vuln/detail/CVE-2019-8120
- https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update
- https://github.com/advisories/GHSA-985w-mqqp-7287 (Advisory)
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8120.yaml
Frequently Asked Questions
What is the severity of CVE-2019-8120?
CVE-2019-8120 is rated as a moderate severity vulnerability due to the potential for authenticated users to execute arbitrary JavaScript on affected Magento versions.
How do I fix CVE-2019-8120?
To fix CVE-2019-8120, upgrade your Magento installation to version 2.1.19, 2.2.10, or 2.3.3 or later.
What versions are affected by CVE-2019-8120?
CVE-2019-8120 affects Magento versions 2.1 before 2.1.19, 2.2 before 2.2.10, and 2.3 before 2.3.3.
Can CVE-2019-8120 be exploited remotely?
CVE-2019-8120 cannot be exploited remotely as it requires an authenticated user to perform actions that trigger the vulnerability.
What type of vulnerability is CVE-2019-8120?
CVE-2019-8120 is classified as a stored cross-site scripting (XSS) vulnerability.
- collector/friends-of-php
- agent/first-publish-date
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-985w-mqqp-7287
- alias/CVE-2019-8120
- agent/software-canonical-lookup
- agent/severity
- agent/remedy
- agent/weakness
- agent/references
- agent/description
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/magento
- canonical/centos libgcc
- version/centos libgcc/2.1.0
- version/centos libgcc/2.2.0
- version/centos libgcc/2.3.0
- version/centos libgcc/2.3.2