8.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-38219

GHSA ID

GHSA-3j7w-jp46-9752

EPSS Score

0.80409%

CWE

CWE-79

Published

10/13/2023

Updated

3/4/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-38219

CVE-2023-38219:
Magento Open Source allows Cross-Site Scripting (XSS)

Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Payload is stored in an admin area, resulting in high confidentiality and integrity impact.

(GitHub Advisory)

8.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-38219

GHSA ID

GHSA-3j7w-jp46-9752

EPSS Score

0.80409%

CWE

CWE-79

Published

10/13/2023

Updated

3/4/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
magento/community-edition	composer	= 2.4.7-beta1	2.4.7-beta2
magento/community-edition	composer	= 2.4.6
magento/community-edition	composer	= 2.4.5
magento/community-edition	composer	= 2.4.4
magento/community-edition	composer	>= 2.4.6-p1, < 2.4.6-p3	2.4.6-p3
magento/community-edition	composer	>= 2.4.5-p1, < 2.4.5-p5	2.4.5-p5
magento/community-edition	composer	>= 2.4.4-p1, < 2.4.4-p6	2.4.4-p6
magento/project-community-edition	composer	<= 2.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The provided vulnerability information describes a stored XSS vulnerability in Magento's admin area but does not include specific technical details about the implementation. While the general attack vector (improper input sanitization in admin form fields) and CWE-79 are identified, there is no access to commit diffs, patch details, or code examples showing vulnerable functions. Without concrete evidence of specific functions lacking output escaping or input sanitization, we cannot confidently identify exact vulnerable functions. The advisory's lack of technical specifics about affected components makes precise function identification impossible with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**o** *omm*r** v*rsions *.*.*-**t** (*n* **rli*r), *.*.*-p* (*n* **rli*r), *.*.*-p* (*n* **rli*r) *n* *.*.*-p* (*n* **rli*r) *r* *****t** *y * stor** *ross-Sit* S*riptin* (XSS) vuln*r**ility t**t *oul* ** **us** *y * low-privil**** *tt**k*r to inj**t

Reasoning

T** provi*** vuln*r**ility in*orm*tion **s*ri**s * stor** XSS vuln*r**ility in M***nto's **min *r** *ut *o*s not in*lu** sp**i*i* t***ni**l **t*ils **out t** impl*m*nt*tion. W*il* t** **n*r*l *tt**k v**tor (improp*r input s*nitiz*tion in **min *orm *

8.7

Basic Information

Concerned about an active attack path?

CVE-2023-38219: Magento Open Source allows Cross-Site Scripting (XSS)

8.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-38219:
Magento Open Source allows Cross-Site Scripting (XSS)

Vulnerability Intelligence
Miggo AI