Miggo Logo

CVE-2019-7875: Magento 2 Community Edition Cross-site Scripting Vulnerability

4.8

CVSS Score
3.0

Basic Information

EPSS Score
0.3017%
Published
5/24/2022
Updated
2/12/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer>= 2.1.0, < 2.1.182.1.18
magento/community-editioncomposer>= 2.2.0, < 2.2.92.2.9
magento/community-editioncomposer>= 2.3.0, < 2.3.22.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability involves stored XSS in admin newsletter templates. Analysis focused on the template management flow:

  1. Save controller is the entry point for storing user-provided template content
  2. Preview functionality is a key attack surface for rendering untrusted content
  3. Block-level rendering methods are the final output point where escaping would be critical While exact patch details are unavailable, Magento's architecture patterns and the vulnerability description strongly implicate these core newsletter template handling components. The medium confidence reflects educated inference based on Magento's structure and XSS mitigation patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* stor** *ross-sit* s*riptin* vuln*r**ility *xists in t** **min p*n*l o* M***nto Op*n Sour** prior to *.*.*.*, *n* M***nto *omm*r** prior to *.**.*.*, M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.*, M***nto *.* prior to *.*.*. T*is *oul* **

Reasoning

T** vuln*r**ility involv*s stor** XSS in **min n*wsl*tt*r t*mpl*t*s. *n*lysis *o*us** on t** t*mpl*t* m*n***m*nt *low: *. S*v* *ontroll*r is t** *ntry point *or storin* us*r-provi*** t*mpl*t* *ont*nt *. Pr*vi*w *un*tion*lity is * k*y *tt**k sur**** *