CVE-2019-8227: Magento XSS Vulnerability
4.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.83453%
CWE
Published
5/24/2022
Updated
1/11/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
magento/core | composer | < 1.9.4.3 | 1.9.4.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability manifests in two key phases: 1) Input handling during profile configuration (Controller save()
action) where malicious XML is accepted without sanitization, and 2) Output generation when the stored XML is rendered (Model getter
). The controller's saveAction
is the primary injection point while the model's getActionsXml
enables payload execution. These align with Magento's typical import/export profile management flow and the advisory's focus on profile action XML manipulation.