Filtered by vendor Magento
Subscribe
Total
222 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-8232 | 1 Magento | 1 Magento | 2020-08-24 | 6.0 MEDIUM | 6.6 MEDIUM |
| In Magento prior to 1.9.4.3, Magento prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, and Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an authenticated user with administrative privileges for the import feature can execute arbitrary code through a race condition that allows webserver configuration file modification. | |||||
| CVE-2019-8230 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| In Magentoprior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit configuration settings can execute arbitrary code through a crafted support/output path. | |||||
| CVE-2019-7896 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to layouts can execute arbitrary code through a combination of product import, crafted csv file and XML layout update. | |||||
| CVE-2019-7925 | 1 Magento | 1 Magento | 2020-08-24 | 5.5 MEDIUM | 4.9 MEDIUM |
| An insecure direct object reference (IDOR) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an administrator with limited privileges to delete the downloadable products folder. | |||||
| CVE-2019-7915 | 1 Magento | 1 Magento | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| A denial-of-service vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Under certain conditions, an unauthenticated attacker could force the Magento store's full page cache to serve a 404 page to customers. | |||||
| CVE-2019-8137 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate CMS section of the website can trigger remote code execution via custom layout update. | |||||
| CVE-2019-8231 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| In Magento to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification. | |||||
| CVE-2019-8155 | 1 Magento | 1 Magento | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| Magento prior to 1.9.4.3 and prior to 1.14.4.3 included a user's CSRF token in the URL of a GET request. This could be exploited by an attacker with access to network traffic to perform unauthorized actions. | |||||
| CVE-2019-8229 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| In Magento prior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit product attributes can execute arbitrary code through crafted layout updates. | |||||
| CVE-2019-7854 | 1 Magento | 1 Magento | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| An insecure direct object reference (IDOR) vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unauthorized disclosure of company credit history details. | |||||
| CVE-2019-8123 | 1 Magento | 1 Magento | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| An insufficient logging and monitoring vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. The logging feature required for effective monitoring did not contain sufficent data to effectively track configuration changes. | |||||
| CVE-2019-8107 | 1 Magento | 1 Magento | 2020-08-24 | 5.5 MEDIUM | 6.5 MEDIUM |
| An arbitrary file deletion vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with export data transfer privileges can craft a request to perform arbitrary file deletion. | |||||
| CVE-2019-8122 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with privileges to create products can craft custom layout update and use import product functionality to enable remote code execution. | |||||
| CVE-2019-8116 | 1 Magento | 1 Magento | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can leverage a guest session id value following a successful login to gain access to customer account index page. | |||||
| CVE-2019-8150 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate layouts and images can insert a malicious payload into the page layout. | |||||
| CVE-2019-8133 | 1 Magento | 1 Magento | 2020-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with privileges to generate sitemaps can bypass configuration that restricts directory access. The bypass allows overwrite of a subset of configuration files which can lead to denial of service. | |||||
| CVE-2019-8111 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage plugin functionality related to email templates to manipulate the interceptor class in a way that allows an attacker to execute arbitrary code. | |||||
| CVE-2019-7890 | 1 Magento | 1 Magento | 2020-08-24 | 7.5 HIGH | 7.3 HIGH |
| An Insecure Direct Object Reference (IDOR) vulnerability exists in the order processing workflow of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can lead to unauthorized access to order details. | |||||
| CVE-2020-9689 | 1 Magento | 1 Magento | 2020-07-30 | 8.5 HIGH | 6.5 MEDIUM |
| Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a path traversal vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2020-9690 | 1 Magento | 1 Magento | 2020-07-30 | 3.5 LOW | 4.2 MEDIUM |
| Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass. | |||||