Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1mNnd3LXZxdzIteHAzds4AAhkQ

Moderate CVSS: 4.3 EPSS: 0.00032% (0.08505 Percentile) EPSS:
Permalink JSON

Magento Cross-Site Request Forgery (CSRF)

Affected Packages Affected Versions Fixed Versions
packagist:magento/community-edition >= 2.3.0, < 2.3.2, >= 2.1.0, < 2.1.18, >= 2.2.0, < 2.2.9 2.3.2, 2.1.18, 2.2.9
13 Dependent packages
12 Dependent repositories
51,271 Downloads total

Affected Version Ranges

All affected versions

2.1.0, 2.1.0-rc1, 2.1.0-rc2, 2.1.0-rc3, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.1.17, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.3.0, 2.3.1

All unaffected versions

2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.1.18, 2.2.9, 2.2.10, 2.2.11, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8

A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can cause unwanted items to be added to a shopper's cart due to an insufficiently robust anti-CSRF token implementation.

References:

Identifiers

GHSA-f6ww-vqw2-xp3v

CVE-2019-7857

Risk

Severity

Moderate

CVSS

CVSS Score: 4.3

CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

EPSS Percentage: 0.00032

EPSS Percentile: 0.08505

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Date and time

Published

over 3 years ago

Updated

3 days ago

API

JSON