Miggo Logo
Miggo Vulnerability Database
CVE-2019-8128

CVE-2019-8128: Magento Cross-Site Scripting via store name

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-8128
GHSA ID
GHSA-mhwc-4w67-xq2c
EPSS Score
0.39656%
CWE
CWE-79
Published
5/24/2022
Updated
5/15/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer>= 2.2, < 2.2.102.2.10
magento/community-editioncomposer>= 2.3, < 2.3.2-p12.3.2-p1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided information does not include specific code snippets, commit diffs, or patch details that would allow precise identification of vulnerable functions. While the vulnerability clearly stems from insufficient output escaping of the store name value in templates or rendering logic, Magento's architecture typically handles XSS vulnerabilities through template escaping mechanisms rather than discrete functions. Without access to the actual patched code changes or specific file references from Magento's security fix, we cannot confidently map this to specific PHP functions with high certainty. The root cause likely resides in template files (.phtml) lacking proper escape methods like escapeHtml() when rendering the store name, but these template elements are not functions in the traditional sense.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* stor** *ross-sit* s*riptin* (XSS) vuln*r**ility *xists in M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.* or *.*.*-p*. *n *ut**nti**t** us*r **n *xploit it *y inj**tin* m*li*ious J*v*s*ript into t** n*m* o* m*in w**sit*.

Reasoning

T** provi*** in*orm*tion *o*s not in*lu** sp**i*i* *o** snipp*ts, *ommit *i**s, or p*t** **t*ils t**t woul* *llow pr**is* i**nti*i**tion o* vuln*r**l* *un*tions. W*il* t** vuln*r**ility *l**rly st*ms *rom insu**i*i*nt output *s**pin* o* t** stor* n*m