Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1qam1nLXhtcTItZzZmZs4AAil9

Magento 2 Community Edition XSS Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to the wysiwyg editor can abuse the blockDirective() function and inject malicious javascript in the cache of the admin dashboard.

As per the Magento Release 2.3.3, if you have already implemented the pre-release version of this patch (2.3.2-p1), it is highly recommended to promptly upgrade to 2.3.2-p2.

Permalink: https://github.com/advisories/GHSA-jjmg-xmq2-g6ff
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qam1nLXhtcTItZzZmZs4AAil9
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 3 months ago

CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-jjmg-xmq2-g6ff, CVE-2019-8152
References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-8152
• https://web.archive.org/web/20211209030216/https://magento.com/security/patches/supee-11219
• https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ce/CVE-2019-8152.yaml
• https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ee/CVE-2019-8152.yaml
• https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8152.yaml
• https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update
• https://github.com/advisories/GHSA-jjmg-xmq2-g6ff

Blast Radius: 5.2

Affected Packages