CVE-2019-7867

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-7867
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-7867.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2019-7867
Aliases
Published
2019-08-02T22:15:15.673Z
Modified
2025-12-04T05:01:46.149189Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to manage orders and order status.

References

Affected packages

Git / github.com/magento/magento2

Affected ranges

Type
GIT
Repo
https://github.com/magento/magento2
Events
Introduced
909a2d7e8c2ac5ca55359827c22cea93fdb719df
Fixed
b808e00f4ad6fb33d5622171a88eb68877ae318d

Affected versions

2.*

2.1.0
2.1.1
2.1.10
2.1.11
2.1.12
2.1.13
2.1.14
2.1.15
2.1.16
2.1.17
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9

Git / github.com/magento/devdocs

Affected ranges

Type
GIT
Repo
https://github.com/magento/devdocs
Events
Introduced
60523b1194f96e18c94c82b5515b0274b30e2151
Fixed
452b21aa6d3a221b587ca32d2d50785d92dd6aa1

Affected versions

2.*

2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.0.18
2.0.8
2.0.9
2.1.0
2.1.1
2.1.10
2.1.11
2.1.12
2.1.13
2.1.14
2.1.15
2.1.16
2.1.17
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.3.0
2.3.1