An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1qam1nLXhtcTItZzZmZs4AAil9

Magento 2 Community Edition XSS Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in in Magento 1 prior to and, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to the wysiwyg editor can abuse the blockDirective() function and inject malicious javascript in the cache of the admin dashboard.

As per the Magento Release 2.3.3, if you have already implemented the pre-release version of this patch (2.3.2-p1), it is highly recommended to promptly upgrade to 2.3.2-p2.

Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: 10 days ago

CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-jjmg-xmq2-g6ff, CVE-2019-8152

Affected Packages

Versions: >= 2.3, < 2.3.2-p2, >= 2.2.0, < 2.2.10
Fixed in: 2.3.2-p2, 2.2.10