Vulnerability CVE-2019-7849


Published: 2019-08-02

Description:
A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules. This impacts Magento 1.x prior to 1.9.4.2, Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to 2.3.2.

Type:

CWE-384

(Session Fixation)

Vendor: Magento
Product: Magento 
Version:
2.3.1
2.3.0
2.2.8
2.2.7
2.2.6
2.2.5
2.2.4
2.2.3
2.2.2
2.2.1
2.2.0
2.1.9
2.1.8
2.1.7
2.1.6
2.1.5
2.1.4
2.1.3
2.1.2
2.1.17
2.1.16
2.1.15
2.1.14
2.1.13
2.1.12
2.1.11
2.1.10
2.1.1
2.1.0
1.9.4.1
1.9.4.0
1.9.3.9
1.9.3.8
1.9.3.7
1.9.3.6
1.9.3.5
1.9.3.4
1.9.3.3
1.9.3.2
1.9.3.10
1.9.3.1
1.9.3.0
1.9.2.4
1.9.2.3
1.9.2.2
1.9.2.1
1.9.2.0
1.9.1.0
1.9.0.1
1.9.0.0
1.14.4.1
1.14.4.0
1.14.3.9
1.14.3.8
1.14.3.7
1.14.3.6
1.14.3.5
1.14.3.4
1.14.3.3
1.14.3.2
1.14.3.10
1.14.3.1
1.14.3.0
1.14.2.0
1.14.1.0
1.14.0.1
1.14.0.0

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33

Related CVE
CVE-2019-7951
An information leakage vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A SOAP web service endpoint does not properly enforce parameters related to access control. This could be abused to le...
CVE-2019-7950
An access control bypass vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An unauthenticated user can bypass access controls via REST API calls to assign themselves to an arbitrary company, ...
CVE-2019-7947
A cross-site request forgery vulnerability exists in the GiftCardAccount removal feature for Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2...
CVE-2019-7945
A stored cross-cite scripting vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privil...
CVE-2019-7944
A stored cross-site scripting vulnerability exists in the product comments field of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An ...
CVE-2019-7942
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create or edit a product can execute arbitrary code via malicious XML ...
CVE-2019-7940
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be ...
CVE-2019-7939
A reflected cross-site scripting vulnerability exists on the customer cart checkout page of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by sending a victim a crafted URL that results in...

Copyright 2019, cxsecurity.com

 

Back to Top