First published: Tue Oct 08 2019(Updated: )
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user can inject arbitrary Javascript code by manipulating section of a POST request related to customer's email address.
Credit: psirt@adobe.com
Affected Software | Affected Version | How to fix |
---|---|---|
composer/magento/product-community-edition | >=2.2<2.2.10>=2.3<2.3.2-p2 | |
composer/magento/community-edition | >=2.3.0<2.3.3 | 2.3.3 |
composer/magento/community-edition | >=2.2.0<2.2.10 | 2.2.10 |
composer/magento/community-edition | >=2.1.0<2.1.19 | 2.1.19 |
CentOS Libgcc | >=2.1.0<2.1.19 | |
CentOS Libgcc | >=2.1.0<2.1.19 | |
CentOS Libgcc | >=2.2.0<2.2.10 | |
CentOS Libgcc | >=2.2.0<2.2.10 | |
CentOS Libgcc | >=2.3.0<=2.3.2 | |
CentOS Libgcc | >=2.3.0<=2.3.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-8120 is rated as a moderate severity vulnerability due to the potential for authenticated users to execute arbitrary JavaScript on affected Magento versions.
To fix CVE-2019-8120, upgrade your Magento installation to version 2.1.19, 2.2.10, or 2.3.3 or later.
CVE-2019-8120 affects Magento versions 2.1 before 2.1.19, 2.2 before 2.2.10, and 2.3 before 2.3.3.
CVE-2019-8120 cannot be exploited remotely as it requires an authenticated user to perform actions that trigger the vulnerability.
CVE-2019-8120 is classified as a stored cross-site scripting (XSS) vulnerability.