Miggo Logo
Miggo Vulnerability Database
CVE-2019-7882

CVE-2019-7882: Magento 2 Community Edition XSS Vulnerability

5.4

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-7882
GHSA ID
GHSA-ff7r-7rrm-wx6w
EPSS Score
0.28987%
CWE
CWE-79
Published
5/24/2022
Updated
2/12/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer>= 2.1, < 2.1.182.1.18
magento/community-editioncomposer>= 2.2, < 2.2.92.2.9
magento/community-editioncomposer>= 2.3, < 2.3.22.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper handling of SWF file uploads in the WYSIWYG editor. The identified functions are core components responsible for processing user-uploaded files. The lack of validation/SWF filtering in these functions (patched in later versions) allowed attackers to inject malicious SWF files. The XSS occurs when these files are rendered, as SWF can execute scripts via parameters like 'flashvars'. The confidence is high because these components directly align with the vulnerability's attack vector (authenticated SWF upload) and Magento's security patches typically target such core handlers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* stor** *ross-sit* s*riptin* vuln*r**ility *xists in t** WYSIWY* **itor o* M***nto Op*n Sour** prior to *.*.*.*, *n* M***nto *omm*r** prior to *.**.*.*, M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.*, M***nto *.* prior to *.*.*. *n *ut**nti

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* SW* *il* uplo**s in t** WYSIWY* **itor. T** i**nti*i** *un*tions *r* *or* *ompon*nts r*sponsi*l* *or pro**ssin* us*r-uplo**** *il*s. T** l**k o* `v*li**tion/SW*` *ilt*rin* in t**s* *un*tions (p*t****