CVE-2019-7934

EUVD-2022-2944
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to edit newsletter templates to inject malicious javascript.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 25%
Affected Products (NVD)
VendorProductVersion
magentomagento
𝑥
< 1.9.4.2
magentomagento
𝑥
< 1.14.4.2
magentomagento
2.1.0 ≤
𝑥
< 2.1.18
magentomagento
2.2.0 ≤
𝑥
< 2.2.9
magentomagento
2.3.0 ≤
𝑥
< 2.3.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23
https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23