CVE-2019-8228

MEDIUM

Magento < 1.9.4.3 and < 1.14.4.3 - Authenticated Stored Cross-Site Scripting in Email Template Editor

Title source: llm
STIX 2.1

Description

in Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code into transactional email page when creating a new email template or editing existing email template.

References (1)

Core 1
Core References
Vendor Advisory x_refsource_misc
https://magento.com/security/patches/supee-11219

Scores

CVSS v3 4.8
EPSS 0.0180
EPSS Percentile 83.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (3)
magento/community-edition 0 - 1.9.4.3Packagist
magento/magento 1.5.0.0 - 1.9.4.3
magento/magento 1.9.0.0 - 1.14.4.3
Published Nov 06, 2019
Tracked Since Feb 18, 2026