5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-8123

GHSA ID

GHSA-fp5m-4mqh-849p

EPSS Score

0.27024%

CWE

CWE-778

Published

5/24/2022

Updated

2/12/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-8123

CVE-2019-8123:
Magento 2 Community Edition Insufficient Logging

An insufficient logging and monitoring vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. The logging feature required for effective monitoring did not contain sufficent data to effectively track configuration changes. As per the Magento Release 2.3.3, if you have already implemented the pre-release version of this patch (2.3.2-p1), it is highly recommended to promptly upgrade to 2.3.2-p2.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-8123

GHSA ID

GHSA-fp5m-4mqh-849p

EPSS Score

0.27024%

CWE

CWE-778

Published

5/24/2022

Updated

2/12/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
magento/community-edition	composer	>= 2.1.0, < 2.1.19	2.1.19
magento/community-edition	composer	>= 2.2.0, < 2.2.10	2.2.10
magento/community-edition	composer	>= 2.3.0, < 2.3.3	2.3.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability centers around insufficient logging of configuration changes. While exact code diffs are unavailable, Magento's configuration management flow involves these key components:

The Save controller action is the entry point for configuration changes
The Config model's save() method persists the changes

In vulnerable versions, these components likely lacked:

User identity logging
Before/after value recording
Timestamp granularity
Change type identification

Confidence is medium because while these are architecturally logical locations for the flaw, the absence of commit diffs prevents absolute certainty. The patched versions (2.1.19+, 2.2.10+, 2.3.3+) would have enhanced logging in these areas based on the vulnerability description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n insu**i*i*nt lo**in* *n* monitorin* vuln*r**ility *xists in M***nto * prior to *.*.*.* *n* *.**.*.*, M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.*. T** lo**in* ***tur* r*quir** *or *****tiv* monitorin* *i* no

Reasoning

T** vuln*r**ility **nt*rs *roun* insu**i*i*nt lo**in* o* *on*i*ur*tion ***n**s. W*il* *x**t *o** *i**s *r* un*v*il**l*, M***nto's *on*i*ur*tion m*n***m*nt *low involv*s t**s* k*y *ompon*nts: *. T** S*v* *ontroll*r **tion is t** *ntry point *or *on*i*

5.3

Basic Information

Concerned about an active attack path?

CVE-2019-8123: Magento 2 Community Edition Insufficient Logging

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2019-8123:
Magento 2 Community Edition Insufficient Logging

Vulnerability Intelligence
Miggo AI