Miggo Logo
Miggo Vulnerability Database
CVE-2019-7897

CVE-2019-7897: Magento 2 Community Edition XSS Vulnerability

4.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-7897
GHSA ID
GHSA-jxp3-mmw7-8285
EPSS Score
0.3017%
CWE
CWE-79
Published
5/24/2022
Updated
2/12/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer>= 2.1.0, < 2.1.182.1.18
magento/community-editioncomposer>= 2.2.0, < 2.2.92.2.9
magento/community-editioncomposer>= 2.3.0, < 2.3.22.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped output of user-controlled data in admin panel customer configuration sections. While no explicit patch diffs are available, the CWE-79 classification and Magento's security bulletin indicate improper neutralization during rendering. The functions/templates listed are core components handling customer data display in the admin interface. The high confidence comes from: 1) The vulnerability's stored XSS nature requiring unescaped output 2) Magento's typical use of .phtml templates with $block->escapeHtml() for XSS protection 3) The specific mention of customer configuration privileges in the description, aligning with these customer management components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* stor** *ross-sit* s*riptin* vuln*r**ility *xists in t** **min p*n*l o* M***nto Op*n Sour** prior to *.*.*.*, *n* M***nto *omm*r** prior to *.**.*.*, M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.*, M***nto *.* prior to *.*.*. T*is *oul* **

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** output o* us*r-*ontroll** **t* in **min p*n*l *ustom*r *on*i*ur*tion s**tions. W*il* no *xpli*it p*t** *i**s *r* *v*il**l*, t** *W*-** *l*ssi*i**tion *n* M***nto's s**urity *ull*tin in*i**t* improp*r n*utr*liz*t