Category: Magento 1

PRODSECBUG-2197: Admin credentials are logged in exception reports

Description: Exception error reports capture administrative credentials in clear text format Type: Information Disclousure CVSSv3 Severity: 3.9 Known Attacks: none Product(s) Affected: Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento

Posted in Information Disclosure, Magento 1, Magento 2, Magento Commerce, Magento Open Source

PRODSECBUG-2178: Stored cross-site scripting in the admin panel via the Admin Shopping Cart Rules page

Type: General: Cross Site Scripting CVSSv3 Severity: 5.8 Known Attacks: none Description: An authenticated user with administrative privileges can embed arbitrary code in the Conditions tab of Admin Shopping Cart Rules page. Product(s) Affected: Magento Open Source prior to 1.9.4.1,

Posted in Magento 1, Magento 2, Magento Commerce, Magento Open Source, Stored XSS

APPSEC-1878/1890: Cross-site Scripting in CMS hierarchy

Description: An administrator with limited privileges can insert script into the CMS hierarchy, which could potentially result in a stored cross-site scripting that affects other administrators. Type: Cross-site Scripting (XSS) – stored CVSSv3 Severity: 5.0 (Medium) Product(s) Affected: Magento Open

Posted in Magento 1, Magento 2, Magento Commerce, Magento Open Source, Stored XSS

APPSEC-1973: Cross-site Scripting in Newsletter Template

Description: An administrator with limited privileges can embed cross-site scripting elements in the Newsletter template, which could potentially lead to a stored cross-site scripting attack. Type: Cross-site Scripting (XSS) – stored CVSSv3 Severity: 5.0 (Medium) Product(s) Affected: Magento Open Source

Posted in Magento 1, Magento 2, Magento Commerce, Magento Open Source, Stored XSS

APPSEC-1928: Cross-site Scripting in Downloadable Product Link

Description: An administrator with limited privileges can insert script in the downloadable product link title field, which could subsequently lead to a stored cross-site scripting attack. Type: Cross-site Scripting (XSS) – stored CVSSv3 Severity: 5.0 (Medium) Product(s) Affected: Magento Open

Posted in Magento 1, Magento 2, Magento Commerce, Magento Open Source, Stored XSS

APPSEC-1916: Cross-site Scripting in Attribute Group Name

Description: An administrator with limited privileges can insert script in the attribute group name field, which could potentially result in stored cross-site scripting that affects other administrators. Type: Cross-site Scripting (XSS) – stored CVSSv3 Severity: 5.0 (Medium) Product(s) Affected: Magento

Posted in Magento 1, Magento 2, Magento Commerce, Magento Open Source, Stored XSS

APPSEC-1908/1948: Cross-site Scripting in custom variable

Description: An administrator with limited privileges can insert script in the custom variables name field, which could potentially result in stored cross-site scripting that affects other administrators. Type: Cross-site Scripting (XSS) – stored CVSSv3 Severity: 5.0 (Medium) Product(s) Affected: Magento

Posted in Magento 1, Magento 2, Magento Commerce, Magento Open Source, Stored XSS

APPSEC-1892: Stored XSS in Visual Merchandiser

Description: An administrator with limited privileges can create a stored-cross site scripting attack in the Visual Merchaniser system. Type: Cross-Site Scripting (XSS, stored) CVSSv3 Severity: 6.1 (Medium) Product(s) Affected: Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to

Posted in Magento 1, Magento Commerce, Magento Open Source, Stored XSS