First published: Tue Oct 08 2019(Updated: )
A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary Javascript code into the dynamic block when invoking page builder on a product.
Credit: psirt@adobe.com
Affected Software | Affected Version | How to fix |
---|---|---|
composer/magento/product-community-edition | >=2.2<2.2.10>=2.3<2.3.2-p2 | |
composer/magento/community-edition | >=2.3.0<2.3.2-p1 | 2.3.2-p1 |
composer/magento/community-edition | >=2.2.0<2.2.10 | 2.2.10 |
CentOS Libgcc | >=2.3.0<2.3.2 | |
CentOS Libgcc | >=2.3.0<2.3.2 | |
CentOS Libgcc | =2.3.2 | |
CentOS Libgcc | =2.3.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-8139 is classified as a stored cross-site scripting (XSS) vulnerability, which can lead to the execution of arbitrary JavaScript code.
To remediate CVE-2019-8139, upgrade to Magento version 2.3.2-p1 or 2.2.10.
CVE-2019-8139 affects users of Magento 2.3 versions prior to 2.3.3 and 2.2 versions prior to 2.2.10.
An attacker can exploit CVE-2019-8139 to inject and execute arbitrary JavaScript in the context of an authenticated user's session.
Yes, CVE-2019-8139 specifically affects the Magento platform and its versions mentioned.