CVE-2019-7881: Magento 2 Community Edition XSS Vulnerability
5.4
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.28987%
CWE
Published
5/24/2022
Updated
2/12/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
magento/community-edition | composer | >= 2.1, < 2.1.18 | 2.1.18 |
magento/community-edition | composer | >= 2.2, < 2.2.9 | 2.2.9 |
magento/community-edition | composer | >= 2.3, < 2.3.2 | 2.3.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability specifically relates to stored XSS in shipping methods configuration (PRODSECBUG-2245). This typically occurs when user-controlled input from shipping method titles/configurations is rendered without proper escaping. Magento's admin shipping configuration would involve Blocks handling template rendering and .phtml
templates outputting configuration values. While exact patch details are unavailable, historical patterns show XSS in Magento often stems from missing escapeHtml
calls in admin template rendering. The medium confidence reflects the lack of direct commit evidence, but strong correlation between vulnerability description and Magento's admin shipping component structure.