CVE-2019-7897: Magento 2 Community Edition XSS Vulnerability
4.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.3017%
CWE
Published
5/24/2022
Updated
2/12/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
magento/community-edition | composer | >= 2.1.0, < 2.1.18 | 2.1.18 |
magento/community-edition | composer | >= 2.2.0, < 2.2.9 | 2.2.9 |
magento/community-edition | composer | >= 2.3.0, < 2.3.2 | 2.3.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unescaped output of user-controlled data in admin panel customer configuration sections. While no explicit patch diffs are available, the CWE-79 classification and Magento's security bulletin indicate improper neutralization during rendering. The functions/templates
listed are core components handling customer data display in the admin interface. The high confidence comes from: 1) The vulnerability's stored XSS nature requiring unescaped output 2) Magento's typical use of .phtml
templates with $block->escapeHtml()
for XSS protection 3) The specific mention of customer configuration privileges in the description, aligning with these customer management components.