APPSEC-1916: Cross-site Scripting in Attribute Group Name

Description: An administrator with limited privileges can insert script in the attribute group name field, which could potentially result in stored cross-site scripting that affects other administrators.

Type: Cross-site Scripting (XSS) – stored

CVSSv3 Severity: 5.0 (Medium)

Product(s) Affected: Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3

Fixed In: Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3

Posted in Magento 1, Magento 2, Magento Commerce, Magento Open Source, Stored XSS