Miggo Logo
Miggo Vulnerability Database
CVE-2019-8117

CVE-2019-8117: Magento 2 Community Edition XSS Vulnerability

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-8117
GHSA ID
GHSA-v99w-jxr4-w6mc
EPSS Score
0.36887%
CWE
CWE-79
Published
5/24/2022
Updated
2/11/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer>= 2.2.0, < 2.2.102.2.10
magento/community-editioncomposer>= 2.3.0, < 2.3.2-p12.3.2-p1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient output encoding when rendering product view IDs in templates. While exact patch details are unavailable, the pattern matches Magento's product rendering flow: 1) View controller handles ID parameter 2) View block generates HTML output. The high-confidence entry reflects core template rendering mechanics where product details (including ID-derived data) are output without adequate escaping. The medium-confidence controller entry reflects potential parameter handling before sanitization. The stored XSS nature indicates the payload persists through product view pages, implicating these core product display components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* stor** *ross-sit* s*riptin* (XSS) vuln*r**ility *xists in M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.* or *.*.*-p*. *n *ut**nti**t*s us*r **n inj**t *r*itr*ry J*v*S*ript *o** vi* pro*u*t vi*w i* sp**i*i**tion.

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt output *n*o*in* w**n r*n**rin* pro*u*t vi*w I*s in t*mpl*t*s. W*il* *x**t p*t** **t*ils *r* un*v*il**l*, t** p*tt*rn m*t***s M***nto's pro*u*t r*n**rin* *low: *) Vi*w *ontroll*r **n*l*s I* p*r*m*t*r *) Vi*w *