Miggo Logo

CVE-2019-7881: Magento 2 Community Edition XSS Vulnerability

5.4

CVSS Score
3.0

Basic Information

EPSS Score
0.28987%
Published
5/24/2022
Updated
2/12/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer>= 2.1, < 2.1.182.1.18
magento/community-editioncomposer>= 2.2, < 2.2.92.2.9
magento/community-editioncomposer>= 2.3, < 2.3.22.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability specifically relates to stored XSS in shipping methods configuration (PRODSECBUG-2245). This typically occurs when user-controlled input from shipping method titles/configurations is rendered without proper escaping. Magento's admin shipping configuration would involve Blocks handling template rendering and .phtml templates outputting configuration values. While exact patch details are unavailable, historical patterns show XSS in Magento often stems from missing escapeHtml calls in admin template rendering. The medium confidence reflects the lack of direct commit evidence, but strong correlation between vulnerability description and Magento's admin shipping component structure.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ross-sit* s*riptin* miti**tion *yp*ss *xists in M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.*, M***nto *.* prior to *.*.*. T*is *oul* ** *xploit** *y *n *ut**nti**t** us*r to *s**l*t* privil***s (**min vs. **min XSS *tt**k).

Reasoning

T** vuln*r**ility sp**i*i**lly r*l*t*s to stor** XSS in s*ippin* m*t*o*s *on*i*ur*tion (PRO*S***U*-****). T*is typi**lly o**urs w**n us*r-*ontroll** input *rom s*ippin* m*t*o* titl*s/*on*i*ur*tions is r*n**r** wit*out prop*r *s**pin*. M***nto's **min