PRODSECBUG-2178: Stored cross-site scripting in the admin panel via the Admin Shopping Cart Rules page

Type: General: Cross Site Scripting

CVSSv3 Severity: 5.8

Known Attacks: none

Description:
An authenticated user with administrative privileges can embed arbitrary code in the Conditions tab of Admin Shopping Cart Rules page.

Product(s) Affected: Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1

Fixed In: Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.1.17, Magento 2.2.8, Magento 2.3.1

Posted in Magento 1, Magento 2, Magento Commerce, Magento Open Source, Stored XSS