Miggo Logo
Miggo Vulnerability Database
CVE-2019-7877

CVE-2019-7877: Magento 2 Community Edition XSS Vulnerability

6.1

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-7877
GHSA ID
GHSA-v5m6-2m78-4vr2
EPSS Score
0.24649%
CWE
CWE-79
Published
5/24/2022
Updated
2/12/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer>= 2.1, < 2.1.182.1.18
magento/community-editioncomposer>= 2.2, < 2.2.92.2.9
magento/community-editioncomposer>= 2.3, < 2.3.22.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability involves stored XSS in the admin panel's order management. Analysis focused on functions handling order comment data retrieval (Block methods) and output (templates). The absence of output escaping in these components aligns with the described XSS mechanism. Confidence is medium due to reliance on common vulnerability patterns without explicit patch details.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* stor** *ross-sit* s*riptin* vuln*r**ility *xists in t** **min p*n*l o* M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.*, M***nto *.* prior to *.*.*. *n *ut**nti**t** us*r wit* privil***s to m*n*** or**rs **n inj**t m*li*ious j*v*s*ript.

Reasoning

T** vuln*r**ility involv*s stor** XSS in t** **min p*n*l's or**r m*n***m*nt. *n*lysis *o*us** on *un*tions **n*lin* or**r *omm*nt **t* r*tri*v*l (*lo*k m*t*o*s) *n* output (t*mpl*t*s). T** **s*n** o* output *s**pin* in t**s* *ompon*nts *li*ns wit* t*