5.4

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-7881

GHSA ID

GHSA-7xqv-jgv6-x2h8

EPSS Score

0.28987%

CWE

CWE-79

Published

5/24/2022

Updated

2/12/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-7881

CVE-2019-7881: Magento 2 Community Edition XSS Vulnerability

A cross-site scripting mitigation bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user to escalate privileges (admin vs. admin XSS attack).

(GitHub Advisory)

5.4

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-7881

GHSA ID

GHSA-7xqv-jgv6-x2h8

EPSS Score

0.28987%

CWE

CWE-79

Published

5/24/2022

Updated

2/12/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
magento/community-edition	composer	>= 2.1, < 2.1.18	2.1.18
magento/community-edition	composer	>= 2.2, < 2.2.9	2.2.9
magento/community-edition	composer	>= 2.3, < 2.3.2	2.3.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability specifically relates to stored XSS in shipping methods configuration (PRODSECBUG-2245). This typically occurs when user-controlled input from shipping method titles/configurations is rendered without proper escaping. Magento's admin shipping configuration would involve Blocks handling template rendering and .phtml templates outputting configuration values. While exact patch details are unavailable, historical patterns show XSS in Magento often stems from missing escapeHtml calls in admin template rendering. The medium confidence reflects the lack of direct commit evidence, but strong correlation between vulnerability description and Magento's admin shipping component structure.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ross-sit* s*riptin* miti**tion *yp*ss *xists in M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.*, M***nto *.* prior to *.*.*. T*is *oul* ** *xploit** *y *n *ut**nti**t** us*r to *s**l*t* privil***s (**min vs. **min XSS *tt**k).

Reasoning

T** vuln*r**ility sp**i*i**lly r*l*t*s to stor** XSS in s*ippin* m*t*o*s *on*i*ur*tion (PRO*S***U*-****). T*is typi**lly o**urs w**n us*r-*ontroll** input *rom s*ippin* m*t*o* titl*s/*on*i*ur*tions is r*n**r** wit*out prop*r *s**pin*. M***nto's **min

5.4

Basic Information

Concerned about an active attack path?

CVE-2019-7881: Magento 2 Community Edition XSS Vulnerability

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI