magento/community-edition
Packagist317 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting magento/community-editionpage 1 of 7
- CVE-2016-6485HIGHCVSS 7.5EG 7.5✓ Fixed in 2.2.62017-03-01
vulnerable: 2.0.0 ... 2.2.5 (49 versions)
The __construct function in Framework/Encryption/Crypt.php in Magento 2 uses the PHP rand function to generate a random number for the initialization vector, which makes it easier for remote attackers to defeat cryptographic protection mec…
- CVE-2018-5301MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.1.22018-01-08
vulnerable: 2.1.0, 2.1.1
Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have CSRF resulting in deletion of a customer address from an address book, aka APPSEC-1433.
- CVE-2019-7139CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.3.22019-04-10
vulnerable: 2.3.0, 2.3.1
An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage. This issue is fixed in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.…
- CVE-2019-7849HIGHCVSS 7.5EG 7.5✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules. This impacts Magento 1.x prior to 1.9.4.2, Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 pr…
- CVE-2019-7851MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unintended data deletion from customer pages.
- CVE-2019-7852MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A path disclosure vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Requests for a specific file path could result in a redirect to the URL of the Magento admin panel, disclosing i…
- CVE-2019-7853MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A stored cross-site scripting vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to the tax notifications configurat…
- CVE-2019-7854HIGHCVSS 7.5EG 7.5✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
An insecure direct object reference (IDOR) vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unauthorized disclosure of company credit history details.
- CVE-2019-7855MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A cryptograhic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could be abused by an unauthenticated user to discover an invariant used in gift card generation.
- CVE-2019-7857MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can cause unwanted items to be added to a shopper's cart due to an insufficiently robust anti-CSRF token impl…
- CVE-2019-7858HIGHCVSS 7.5EG 7.5✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A cryptographic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to 2.3.2 resulted in storage of sensitive information with an algorithm that is insufficiently resistant to brute force attacks.
- CVE-2019-7859HIGHCVSS 7.5EG 7.5✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A path traversal vulnerability in the WYSIWYG editor for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could result in unauthorized access to uploaded images due to insufficient access control.
- CVE-2019-7860HIGHCVSS 7.5EG 7.5✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A cryptographically weak pseudo-rando number generator is used in multiple security relevant contexts in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
- CVE-2019-7861HIGHCVSS 7.5EG 7.5✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
Insufficient server-side validation of user input could allow an attacker to bypass file upload restrictions in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
- CVE-2019-7862MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A reflected cross-site scripting vulnerability exists in the Product widget chooser functionality in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
- CVE-2019-7863MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A stored cross-site scripting vulnerability exists in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to products and categ…
- CVE-2019-7864MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
An insecure direct object reference (IDOR) vulnerability exists in the RSS feeds of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can lead to unauthorized access to order details.
- CVE-2019-7865HIGHCVSS 8.8EG 8.8✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A cross-site request forgery (CSRF) vulnerability exists in the checkout cart item of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited at the time of editing or configuration.
- CVE-2019-7866MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to edit Product inform…
- CVE-2019-7867MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to manage orders and o…
- CVE-2019-7868MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with permissions to manage tax rul…
- CVE-2019-7869MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with permissions to manage custome…
- CVE-2019-7871HIGHCVSS 8.8EG 8.8✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A security bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 that could be abused to execute arbitrary PHP code. An authenticated user can bypass security protections that prevent arbitrar…
- CVE-2019-7872MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
An insecure direct object reference (IDOR) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to insufficient authorizations checks. This can be abused by a user with admin privi…
- CVE-2019-7873MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can result in unintended deletion of the store design schedule.
- CVE-2019-7874MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can result in unintended deletion of user roles.
- CVE-2019-7875MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Thi…
- CVE-2019-7876HIGHCVSS 8.8EG 8.8✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manipulate layouts can insert a malicious payload into the layout.
- CVE-2019-7877MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manage orders can inject malicious javas…
- CVE-2019-7880MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to marketing ema…
- CVE-2019-7881MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A cross-site scripting mitigation bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user to escalate privileges (admin vs. admin XSS attack).
- CVE-2019-7882MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A stored cross-site scripting vulnerability exists in the WYSIWYG editor of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. …
- CVE-2019-7885HIGHCVSS 8.8EG 8.8✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
Insufficient input validation in the config builder of the Elastic search module could lead to remote code execution in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This vulnerability could be abused…
- CVE-2019-7886HIGHCVSS 7.5EG 7.5✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A cryptograhic flaw exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A weak cryptograhic mechanism is used to generate the intialization vector in multiple security relevant contexts.
- CVE-2019-7887MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A reflected cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 w…
- CVE-2019-7888MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
An information disclosure vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to create email templates could leak sensitive data via a maliciou…
- CVE-2019-7889MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
An injection vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with marketing ma…
- CVE-2019-7890HIGHCVSS 7.3EG 7.3✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
An Insecure Direct Object Reference (IDOR) vulnerability exists in the order processing workflow of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can lead to unauthorized access to order details.
- CVE-2019-7892HIGHCVSS 7.2EG 7.2✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to access shipment settings can execute arbitrary code…
- CVE-2019-7895HIGHCVSS 7.2EG 7.2✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to layouts can execute arbitrary code through a crafted XML la…
- CVE-2019-7896HIGHCVSS 7.2EG 7.2✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to layouts can execute arbitrary code through a combin…
- CVE-2019-7897MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Thi…
- CVE-2019-7898MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
Samples of disabled downloadable products are accessible in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to inadequate…
- CVE-2019-7899MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
Names of disabled downloadable products could be disclosed due to inadequate validation of user input in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9,…
- CVE-2019-7903HIGHCVSS 7.2EG 7.2✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to email templates can execute arbitrary code by previewing a …
- CVE-2019-7904MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
Insufficient enforcement of user access controls in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could enable a low-privileged user to make unauthorized environment configuration changes.
- CVE-2019-7908MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify produc…
- CVE-2019-7909MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Thi…
- CVE-2019-7911HIGHCVSS 7.2EG 7.2✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A server-side request forgery (SSRF) vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exp…
- CVE-2019-7912HIGHCVSS 7.2EG 7.2✓ Fixed in 2.3.22019-08-02
vulnerable: 2.3.0, 2.3.1
A file upload filter bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with admin privileges to edit configuration keys to remove file exten…
Check whether magento/community-edition is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for magento/community-edition CVEs against the assets you own.
Start Free Scan →