4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-8227

GHSA ID

GHSA-j49x-jjmj-9fqj

EPSS Score

0.83453%

CWE

CWE-79

Published

5/24/2022

Updated

1/11/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-8227

CVE-2019-8227: Magento XSS Vulnerability

In Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code via import / export functionality when creating profile action XML.

(GitHub Advisory)

4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-8227

GHSA ID

GHSA-j49x-jjmj-9fqj

EPSS Score

0.83453%

CWE

CWE-79

Published

5/24/2022

Updated

1/11/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
magento/core	composer	< 1.9.4.3	1.9.4.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability manifests in two key phases: 1) Input handling during profile configuration (Controller save() action) where malicious XML is accepted without sanitization, and 2) Output generation when the stored XML is rendered (Model getter). The controller's saveAction is the primary injection point while the model's getActionsXml enables payload execution. These align with Magento's typical import/export profile management flow and the advisory's focus on profile action XML manipulation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In M***nto prior to *.*.*.* *n* M***nto prior to *.**.*.*, *n *ut**nti**t** us*r wit* limit** **ministr*tiv* privil***s **n inj**t *r*itr*ry J*v*S*ript *o** vi* import / *xport *un*tion*lity w**n *r**tin* pro*il* **tion XML.

Reasoning

T** vuln*r**ility m*ni**sts in two k*y p**s*s: *) Input **n*lin* *urin* pro*il* *on*i*ur*tion (*ontroll*r `s*v*()` **tion) w**r* m*li*ious XML is ****pt** wit*out s*nitiz*tion, *n* *) Output **n*r*tion w**n t** stor** XML is r*n**r** (Mo**l `**tt*r`)

4.8

Basic Information

Concerned about an active attack path?

CVE-2019-8227: Magento XSS Vulnerability

4.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI