Multiple vulnerabilities in Magento Commerce and Open Source
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 16 |
| CVE-ID | CVE-2019-8235 |
| CWE-ID | CWE-200 CWE-79 CWE-264 CWE-799 CWE-352 CWE-918 CWE-94 CWE-284 CWE-89 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Adobe Commerce (formerly Magento Commerce) Web applications / E-Commerce systems Magento Open Source Web applications / E-Commerce systems |
| Vendor |
Magento, Inc Adobe |
Security Bulletin
This security bulletin contains information about 16 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU22421
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-8235
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to Insecure direct object references issue. A remote authenticated user can view personally identifiable shipping details of another user.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.1.0 - 2.3.0
CPE2.3- cpe:2.3:a:magento:magento_commerce:2.1.16:*:*:*:*:*:*:*
- cpe:2.3:a:magento:magento_commerce:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:magento:magento_commerce:2.3.0:*:*:*:*:*:*:*
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cross-site scripting
EUVDB-ID: #VU18728
Risk: High
CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Amber]
CVE-ID: N/A
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote authenticated attacker can inject and execute arbitrary HTML through a CLI command and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMagento Open Source: 2.1.0 - 2.3.0
CPE2.3- cpe:2.3:a:adobe:magento:2.1.16:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.3.0:*:*:*:*:*:*:*
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU18727
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: N/A
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to spam using share a wishlist functionality. A remote attacker can send spam messages.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMagento Open Source: 2.1.0 - 2.3.0
CPE2.3- cpe:2.3:a:adobe:magento:2.1.16:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.3.0:*:*:*:*:*:*:*
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Missing CAPTCHA
EUVDB-ID: #VU18726
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: N/A
CWE-ID:
CWE-799 - Improper Control of Interaction Frequency
Exploit availability: No
DescriptionInstall updates from vendor's website.
Vulnerable software versionsMagento Open Source: 2.1.0 - 2.3.0
CPE2.3- cpe:2.3:a:adobe:magento:2.1.16:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.3.0:*:*:*:*:*:*:*
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Cross-site request forgery
EUVDB-ID: #VU18725
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: N/A
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can delete the content of wyswig directory within the context of authenticated administrator's session, trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMagento Open Source: 2.1.0 - 2.3.0
CPE2.3- cpe:2.3:a:adobe:magento:2.1.16:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.3.0:*:*:*:*:*:*:*
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Cross-site request forgery
EUVDB-ID: #VU18724
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: N/A
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can delete the site map within the context of an authenticated administrator's session, trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMagento Open Source: 2.1.0 - 2.3.0
CPE2.3- cpe:2.3:a:adobe:magento:2.1.16:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.3.0:*:*:*:*:*:*:*
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Cross-site request forgery
EUVDB-ID: #VU18723
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: N/A
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can delete a product attribute within the context of authenticated administrator's session, trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 1.14.0.0 - 1.14.4.0
Magento Open Source: 1.9.0.0 - 2.3.0
CPE2.3- cpe:2.3:a:magento:magento_commerce:1.14.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:1.9.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.1.16:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.3.0:*:*:*:*:*:*:*
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU18722
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/E:U/U:Amber]
CVE-ID: N/A
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to the unsafe handling of an API call to a core bundled extension. A remote authenticated attacker with privileges to configure store settings can execute arbitrary code execution through server-side request forgery.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMagento Open Source: 2.1.0 - 2.3.0
CPE2.3- cpe:2.3:a:adobe:magento:2.1.16:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.3.0:*:*:*:*:*:*:*
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Code Injection
EUVDB-ID: #VU18721
Risk: Medium
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: N/A
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in email template. A remote administrator can send a specially crafted request and execute arbitrary code through email templates on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMagento Open Source: 2.1.0 - 2.3.0
CPE2.3- cpe:2.3:a:adobe:magento:2.1.16:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.3.0:*:*:*:*:*:*:*
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Code Injection
EUVDB-ID: #VU18720
Risk: Medium
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: N/A
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation via crafted newsletter and email templates . A remote authenticated attacker with privileges to create newsletter or email templates can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMagento Open Source: 2.1.0 - 2.3.0
CPE2.3- cpe:2.3:a:adobe:magento:2.1.16:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.3.0:*:*:*:*:*:*:*
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Improper access control
EUVDB-ID: #VU18719
Risk: Medium
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: N/A
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions of the Insecure direct object reference in the application. A remote authenticated attacker can enumerate and access unauthorized wishlist via insecure direct object reference in the application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMagento Open Source: 2.1.0 - 2.3.0
CPE2.3- cpe:2.3:a:adobe:magento:2.1.16:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.3.0:*:*:*:*:*:*:*
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Improper access control
EUVDB-ID: #VU18718
Risk: Medium
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: N/A
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to a bypass of authentication controls for a customer using a web API endpoint. A remote authenticated attacker can control other customer's requisition lists by using a web API endpoint to send a request to the server. This overrides the customer_id parameter.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMagento Open Source: 2.1.0 - 2.3.0
CPE2.3- cpe:2.3:a:adobe:magento:2.1.16:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.3.0:*:*:*:*:*:*:*
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU18715
Risk: High
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: N/A
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to bypassing the need for administrator authentication approval on B2B accounts. A remote authenticated attacker can create a B2B account without administrative approval.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMagento Open Source: 2.1.0 - 2.3.0
CPE2.3- cpe:2.3:a:adobe:magento:2.1.16:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.3.0:*:*:*:*:*:*:*
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Information disclosure
EUVDB-ID: #VU18714
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: N/A
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to administrative credentials are logged in exception reports. A remote attacker can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 1.14.0.0 - 1.14.4.0
Magento Open Source: 1.9.0.0 - 2.3.0
CPE2.3- cpe:2.3:a:magento:magento_commerce:1.14.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:1.9.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.1.16:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.3.0:*:*:*:*:*:*:*
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Information disclosure
EUVDB-ID: #VU18713
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: N/A
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to default configuration allows public access to custom PHP settings. A remote attacker can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMagento Open Source: 2.1.0 - 2.3.0
CPE2.3- cpe:2.3:a:adobe:magento:2.1.16:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.3.0:*:*:*:*:*:*:*
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) SQL injection
EUVDB-ID: #VU18711
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: N/A
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote unauthenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 1.14.0.0 - 1.14.4.0
Magento Open Source: 1.9.0.0 - 2.3.0
CPE2.3- cpe:2.3:a:magento:magento_commerce:1.14.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:1.9.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.1.16:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento:2.3.0:*:*:*:*:*:*:*
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
