Miggo Logo
Miggo Vulnerability Database
CVE-2019-8228

CVE-2019-8228: Withdrawn Advisory: Magento 2 Community Edition XSS Vulnerability

4.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-8228
GHSA ID
GHSA-988g-wfwf-5666
EPSS Score
0.83453%
CWE
CWE-79
Published
5/24/2022
Updated
9/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer< 1.9.4.31.9.4.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability involves stored XSS in transactional email templates. The attack vector implies:- 1) Malicious input is stored when saving template content (handled by controller)- 2) XSS triggers when rendering the template in admin interface (handled by form block).

While the controller's saveAction (Mage_Adminhtml_System_Email_TemplateController::saveAction) processes input, the actual XSS exploitation occurs during output rendering. In Magento's architecture, the _prepareForm method in the email template edit form block is responsible for populating form field values. Without proper escaping here, stored JavaScript would execute when admins view the template. This matches the pattern of Magento's historical XSS fixes where escapeHtml() was added to form field values.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Wit**r*wn **visory T*is **visory **s ***n wit**r*wn ****us* t** vuln*r**ility *o*s not *****t * p**k*** in on* o* t** *it*u* **visory **t***s*'s [support** **osyst*ms](*ttps://*it*u*.*om/*it*u*/**visory-**t***s*/*lo*/m*in/R***M*.m*#support**-**os

Reasoning

T** vuln*r**ility involv*s stor** XSS in tr*ns**tion*l *m*il t*mpl*t*s. T** *tt**k v**tor impli*s:- *) M*li*ious input is stor** w**n s*vin* t*mpl*t* *ont*nt (**n*l** *y *ontroll*r)- *) XSS tri***rs w**n r*n**rin* t** t*mpl*t* in **min int*r**** (**n