4.8

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2019-7863

GHSA ID

GHSA-p8gw-x2p7-vc73

EPSS Score

0.29961%

CWE

CWE-79

Published

5/24/2022

Updated

5/15/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-7863

CVE-2019-7863: Magento Stored cross-site scripting in admin panel

A stored cross-site scripting vulnerability exists in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to products and categories.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2019-7863

CVE-2019-7863:

4.8

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2019-7863

GHSA ID

GHSA-p8gw-x2p7-vc73

EPSS Score

0.29961%

CWE

CWE-79

Published

5/24/2022

Updated

5/15/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
magento/community-edition	composer	>= 2.1, < 2.1.18	2.1.18
magento/community-edition	composer	>= 2.2, < 2.2.9	2.2.9
magento/community-edition	composer	>= 2.3, < 2.3.2	2.3.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability affects authenticated users with product/category access and involves stored XSS in admin panels. Core product/category editing interfaces are the most likely vectors. While exact patch details are unavailable, Magento's attribute rendering system (particularly text input handling in admin forms) is a common XSS surface area. The Text attribute renderer specifically handles raw user input for product attributes, and category forms manage structured data - both would require proper escaping when rendering admin UI elements. The confidence is high because these components directly handle user-controllable data display in the vulnerable admin interface context.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2019-7863: Magento Stored cross-site scripting in admin panel

CVE-2019-7863:

4.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

4.8

4.8

CVE-2019-7863: Magento Stored cross-site scripting in admin panel

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI