CVE-2019-7938

MEDIUM

Magento < 1.9.4.2, < 1.14.4.2, 2.1.0-2.1.17, 2.2.0-2.2.8, 2.3.0-2.3.1 - Stored XSS in Catalog Price Rules

Title source: llm

Description

A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify catalog price rules to inject malicious javascript.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23

Scores

CVSS v3 4.8

EPSS 0.0009

EPSS Percentile 25.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (6)

magento/community-edition 2.1.0 - 2.1.18Packagist

magento/magento < 1.14.4.2

magento/magento < 1.9.4.2

magento/magento1ce 1 - 1.9.4.2Packagist

magento/magento1ee 1 - 1.14.4.2Packagist

magento/product-community-edition 2.1 - 2.1.18Packagist

Published Aug 02, 2019

Tracked Since Feb 18, 2026