CVE-2019-8152

Summary

A stored cross-site scripting (XSS) vulnerability exists in in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to the wysiwyg editor can abuse the blockDirective() function and inject malicious javascript in the cache of the admin dashboard.

Affected Software

VendorProductVersion RangeStatus
Adobe Systems IncorporatedMagento 1 & 2Magento Open Source prior to 1.9.4.3affected
Adobe Systems IncorporatedMagento 1 & 2and Magento Commerce prior to 1.14.4.3affected
Adobe Systems IncorporatedMagento 1 & 2Magento 2.2 prior to 2.2.10affected
Adobe Systems IncorporatedMagento 1 & 2Magento 2.3 prior to 2.3.3 or 2.3.2-p1affected

Weaknesses

  • Cross-Site Scripting

ADP Enrichment

CVE Program Container

Additional References

References