Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1qam1nLXhtcTItZzZmZs4AAil9

Magento 2 Community Edition XSS Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to the wysiwyg editor can abuse the blockDirective() function and inject malicious javascript in the cache of the admin dashboard.

As per the Magento Release 2.3.3, if you have already implemented the pre-release version of this patch (2.3.2-p1), it is highly recommended to promptly upgrade to 2.3.2-p2.

Permalink: https://github.com/advisories/GHSA-jjmg-xmq2-g6ff
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qam1nLXhtcTItZzZmZs4AAil9
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: 10 days ago


CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-jjmg-xmq2-g6ff, CVE-2019-8152
References:

Affected Packages

packagist:magento/community-edition
Versions: >= 2.3, < 2.3.2-p2, >= 2.2.0, < 2.2.10
Fixed in: 2.3.2-p2, 2.2.10