New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

Magento 2.3.3 and 2.2.10 Security Update

October 8, 2019

Magento Commerce and Open Source 2.3.3, 2.3.2-p1 and 2.2.10 contain tens of security enhancements that help close Remote Code Execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities.

Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.3.3.

Please refer to
Security Best Practices for additional information how to secure your site.

The Magento 2.2.10 software release marks the final supported software release for Magento version 2.1.x. As of June 30 2019, Magento 2.1.x will no longer receive security updates or product quality fixes now that its support window has expired.

To download the releases, choose from the following options:

Partners:

Magento Commerce 2.3.3 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.3.3

Magento Commerce 2.3.2-p1 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.3.2-p1

Magento Commerce 2.2.10 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.10

Magento Commerce 2.3.3, 2.3.2-p1 and 2.2.10 (New composer installations)

https://devdocs.magento.com/guides/v2.2/install-gde/composer.html

Magento Commerce 2.3.3, 2.3.2-p1 and 2.2.10 (Composer upgrades)

https://devdocs.magento.com/guides/v2.3/comp-mgr/bk-compman-upgrade-guide.html

Magento Commerce:

Magento Commerce 2.3.3 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.3.3

Magento Commerce 2.3.2-p1 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.3.2-p1

Magento Commerce 2.2.10 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.10

Magento Commerce 2.3.3, 2.3.2-p1 and 2.2.10 (New composer installations)

https://devdocs.magento.com/guides/v2.3/install-gde/composer.html

Magento Commerce 2.3.3, 2.3.2-p1 and 2.2.10 (Composer upgrades)

https://devdocs.magento.com/guides/v2.3/comp-mgr/bk-compman-upgrade-guide.html

Magento Open Source:

Magento Open Source 2.3.3, 2.3.2-p1 and 2.2.10 (New .zip file installations)

Magento Open Source Download Page > Download Tab

Magento Open Source 2.3.3, 2.3.2-p1 and 2.2.10 (New composer installations)

https://devdocs.magento.com/guides/v2.3/install-gde/composer.html

Magento Open Source 2.3.3, 2.3.2-p1 and 2.2.10 (Composer upgrades)

https://devdocs.magento.com/guides/v2.3/comp-mgr/bk-compman-upgrade-guide.html

Magento Open Source 2.3.3, 2.3.2-p1 and 2.2.10 (Developers contributing to the Open Source code base)

https://devdocs.magento.com/guides/v2.3/install-gde/install/cli/dev_options.html

PRODSECBUG-2403: Remote code execution through crafted Page Builder templates - CVE-2019-8144
Type: Remote Code Execution
CVSSv3 Severity: 10
Known Attacks: None
Description:

An unauthenticated user can insert a malicious payload through Page Builder template methods.

Product(s) Affected: Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.3.2-p1, Magento 2.3.3
Reporter: Blaklis
PRODSECBUG-2462: Remote code execution through file upload in Admin import feature (RCE) - CVE-2019-8114
Type: Remote Code Execution
CVSSv3 Severity: 9.1
Known Attacks: None
Description:

An authenticated user with administrative privileges to import features can execute arbitrary code through a crafted configuration archieve file upload.

Product(s) Affected: Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219, Magento 2.2.10, Magenot 2.3.2-p1, Magento 2.3.3
Reporter: sambecks
PRODSECBUG-2470: Remote code execution in email templates (RCE) - CVE-2019-8110
Type: Remote Code Execution
CVSSv3 Severity: 9.1
Known Attacks: None
Description:

An authenticated user can leverage the email template hierarchy to manipulate the interceptor class in a way that allows a malicious user to execute arbitrary code.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Blaklis
PRODSECBUG-2469: Remote code execution in email templates (RCE) - CVE-2019-8111
Type: Remote Code Execution
CVSSv3 Severity: 9.1
Known Attacks: None
Description:

An authenticated user can leverage plugin functionality that is related to email templates to manipulate the interceptor class in a way that allows a maliocus user to execute arbitrary code.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Blaklis
PRODSECBUG-2449: Remote code execution through local file delete and XSLT injection (RCE) - CVE-2019-8119
Type: Remote Code Execution
CVSSv3 Severity: 9.1
Known Attacks: None
Description:

An authenticated administrator with import product privileges can delete files through bulk product import and inject code into an XSLT file. The combination of these manipulations can lead to remote code execution.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: mortis
PRODSECBUG-2446: Remote code execution through custom layout update in the create product functionality (RCE) - CVE-2019-8122
Type: Remote Code Execution
CVSSv3 Severity: 9.1
Known Attacks: None
Description:

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with privileges to create products can craft custom layout update and use import product functionality to enable remote code execution.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Blaklis
PRODSECBUG-2332: Remote code execution through arbitrary file inclusion (RCE) - CVE-2019-8154
Type: Remote Code Execution
CVSSv3 Severity: 9.1
Known Attacks: None
Description:

An authenticated user with privileges to modify product catalogs can trigger PHP file inclusion through a crafted XML file that specifies a product design update.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Edgar Boda-Majer
PRODSECBUG-2376: Remote code execution through crafted page layout and image data (XSS) - CVE-2019-8150
Type: Remote Code Execution
CVSSv3 Severity: 9.1
Known Attacks: None
Description:

An authenticated user with permission to manipulate layouts and images can insert a malicious payload into the page layout.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Internal employee
PRODSECBUG-2405: Injection vulnerability through email templates - CVE-2019-8143
Type: SQL injection
CVSSv3 Severity: 9.1
Known Attacks: None
Description:

An authenticated user with access to email templates can send malicious SQL queries and obtain access to sensitive information stored in the database.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Blaklis
PRODSECBUG-2414: Remote code execution through custom layout update of the content management feature (RCE) - CVE-2019-8137
Type: Remote code execution (RCE)
CVSSv3 Severity: 9.1
Known Attacks: None
Description:

An authenticated user with privileges to manipulate the CMS section of the website can trigger remote code execution through custom layout update.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Luke Rodgers
PRODSECBUG-2417: Remote code execution through vulnerable Symphony dependecy injection (RCE) - CVE-2019-8135
Type: Remote Code Execution
CVSSv3 Severity: 9.1
Known Attacks: None
Description:

Dependency injection through the Symphony framework allows service identifiers to be derived from user-controlled data, which can lead to remote code execution.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Anonymously reported
PRODSECBUG-2418: SQL injection through a marketing account with access to email templates variables - CVE-2019-8134
Type: SQL injection
CVSSv3 Severity: 9.1
Known Attacks: None
Description:

A user with marketing privileges can execute arbitrary SQL queries in the database when accessing email template variables.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Blaklis
PRODSECBUG-2416: Vulnerable component provides abstraction of HTTP specification - CVE-2019-8136
Type: Using components with known vulnerabilities
CVSSv3 Severity: 8.8
Known Attacks: None
Description:

Magento  leveraged outdated versions of the HTTP specification abstraction that is  implemented in the Symphony framework.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Anonymously reported
PRODSECBUG-2424: SQL injection vulnerability when accessing group data in email templates - CVE-2019-8130
Type: SQL injection
CVSSv3 Severity: 8.8
Known Attacks: None
Description:

 A user with store manipulation privileges can execute arbitrary SQL queries by accessing the database connection through group instance in email templates.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Edgar Boda-Majer
PRODSECBUG-2407: Remote code execution due to unsafe PHP archieve deserialization in the Import feature (RCE) - CVE-2019-8141
Type: Remote Code Execution
CVSSv3 Severity: 8.7
Known Attacks: None
Description:

An authenticated user with administrative privileges (for example, system-level import) can execute arbitrary code through a Phar deserialization vulnerability in the Import feature.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Robin Peraglie
PRODSECBUG-2434: SQL injection in 'Catalog Products List' widget leading to privilege escalation - CVE-2019-8127
Type: SQL injection
CVSSv3 Severity: 8.5
Known Attacks: None
Description:

An authenticated user with privileges to an account with permission to edit newsletter templates can exfiltrate the Admin login data and reset their password, effectively performing a privilege escalation.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: valis
PRODSECBUG-2475: Remote code execution through cross-site request forgery (CSRF, RCE) - CVE-2019-8109
Type: Remote Code Execution
CVSSv3 Severity: 8.4
Known Attacks: None
Description:

An authenticated user can craft a malicious CSRF payload that can result in arbitrary command execution.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Blaklis
PRODSECBUG-2309: Server-side request forgery through a crafted connector endpoint - CVE-2019-8156
Type: Server-side Request Forgery
CVSSv3 Severity: 8
Known Attacks: None
Description:

An authenticated user with administrative privileges to modify store configuration settings can manipulate the connector API endpoint to remotely execute code.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Max Chadwick
PRODSECBUG-2367: Remote code execution due to unsafe handling of a carrier gateway (RCE) - CVE-2019-8151
Type: Remote Code Execution
CVSSv3 Severity: 7.9
Known Attacks: None
Description:

An authenticated user with administrative privileges to manipulate shippment settings can execute arbitrary code through server-side request forgery due to unsafe handling of a carrier gateway.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Max Chadwick
PRODSECBUG-2494: Arbitrary file deletion through design layout update - CVE-2019-8090
Type: Arbitrary File Deletion
CVSSv3 Severity: 7.6
Known Attacks: None
Description:

An authenticated user can manipulate the design layout update feature.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Blaklis
PRODSECBUG-2484: Arbitrary file deletion through export data transfer - CVE-2019-8107
Type: Arbitrary File Deletion
CVSSv3 Severity: 7.6
Known Attacks: None
Description:

An authenticated user with export data transfer privileges can craft a request that performs arbitrary file deletion.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: crownpeanut
PRODSECBUG-2440: Information disclosure through processing of external XML entities - CVE-2019-8126
Type: XML External Entity Injection (XXE)
CVSSv3 Severity: 7.6
Known Attacks: None
Description:

 An authenticated administrator can craft a document type definition for an XML file representing XML layout. The crafted document type definition and XML layout allow processing of external entities, which can lead to information disclosure.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Blaklis
PRODSECBUG-2415: Remote code execution due to a race condition in the import feature (RCE) - CVE-2019-8232
Type: Remote Code Execution
CVSSv3 Severity: 7.5
Known Attacks: None
Description:

An authenticated user with administrative privileges for the import feature can execute arbitrary code through a race condition that allows webserver configuration file modification.

Product(s) Affected: Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219, Magento 2.2.10, Magenot 2.3.2-p1, Magento 2.3.3
Reporter: Robin Peraglie
PRODSECBUG-2485: Information disclosure through  the file upload feature - CVE-2019-8093
Type: Disclosure of Critically Sensitive Data
CVSSv3 Severity: 7.3
Known Attacks: None
Description:

An authenticated user can leverage the file upload controller for downloadable products to read or delete arbitary files.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Karim El Ouerghemmi
PRODSECBUG-2478: Broken authentication and session management - CVE-2019-8108
Type: Broken Authentication
CVSSv3 Severity: 7.3
Known Attacks: None
Description:

 An authenticated user can manipulate a storefront's session validation setting, leading to insecure authentication and session management.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Customer report
PRODSECBUG-2456: Broken authentication and session managememt - CVE-2019-8116
Type: Inadequate Session Handling
CVSSv3 Severity: 7.3
Known Attacks: None
Description:

The Magento session manager does not correctly regenerate the customer session after a successful login. Although a new session was created, the old session (in cases where the customer was not authenticated) is not properly destroyed.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Alan Barber
PRODSECBUG-2402: Cross-site scripting through attribute set names (XSS) - CVE-2019-8145
Type: Cross-Site Scripting
CVSSv3 Severity: 6.8
Known Attacks: None
Description:

An authenticated user can inject arbitrary JavaScript code into the attribute set name when listing its products.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Max Chadwick
PRODSECBUG-2408: Unrestricted upload of a file with dangerous type - CVE-2019-8140
Type: Unrestricted file upload
CVSSv3 Severity: 6.5
Known Attacks: None
Description:

An authenticated administrative user can manipulate the Synchronization feature in the media file storage of the database to transform an uploaded JPEG file into a PHP file.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Robin Peraglie
PRODSECBUG-2410: Cross-site scripting through dynamic blocks in the Page Builder (XSS) - CVE-2019-8139
Type: Cross-Site Scripting
CVSSv3 Severity: 6.5
Known Attacks: None
Description:

An authenticated user can inject arbitrary JavaScript code into a dynamic block when invoking Page Builder on a product.

Product(s) Affected: Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.3.2-p1, Magento 2.3.3
Reporter: Blaklis
PRODSECBUG-2412: Cross-site scripting through  location name (XSS) - CVE-2019-8138
Type: Cross-Site Scripting
CVSSv3 Severity: 6.5
Known Attacks: None
Description:

An authenticated user can execute arbitrary JavaScript code by providing an arbitrary API endpoint that will not be checked by the sale pickup event.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Max Chadwick
PRODSECBUG-2419: Bypass of sitemap access restrictions - CVE-2019-8133
Type: Security bypass
CVSSv3 Severity: 6.5
Known Attacks: None
Description:

A user with privileges to generate sitemaps can bypass configuration settings that restrict directory access. The bypass allows overwrite of a subset of configuration files, which can allow denial-of-service attacks.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Edgar Boda-Majer
PRODSECBUG-2423: Cross-site scripting through inventory source - CVE-2019-8131
Type: Cross-Site Scripting
CVSSv3 Severity: 6.5
Known Attacks: None
Description:

An authenticated user can inject arbitrary JavaScript code into the code field of an inventory source.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Max Chadwick
PRODSECBUG-2223: Remote code execution when using the import a new product feature (RCE) - CVE-2019-8159
Type: Remote Code Execution
CVSSv3 Severity: 6.4
Known Attacks: None
Description:

An authenticated user with system data manipulation privileges can execute aribitrary code through arbitrary file deletion and OS command injection.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: malerisch
PRODSECBUG-2447: Using JavaScipt libraries with known security vulnerabilities - CVE-2019-8121
Type: Using components with known vulnerabilities
CVSSv3 Severity: 6.1
Known Attacks: None
Description:

Magento  leveraged outdated versions of JavaScript libraries (Bootstrap, jquery, Knockout) with known security vulnerabilities.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Customer report
PRODSECBUG-2458: Cross-site scripting in image file names (XSS) - CVE-2019-8115
Type: Cross-Site Scripting
CVSSv3 Severity: 6.1
Known Attacks: None
Description:

An authenticated administrator can inject arbitrary JavaScript code when adding an image during simple product creation.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Internal employee
PRODSECBUG-2452: User password is stored in cleartext - CVE-2019-8118
Type: Cryptographic Flaw
CVSSv3 Severity: 5.7
Known Attacks: None
Description:

Weak cryptographic function used for storing the failed login attempts for customer accounts.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Nicolas Bretin
PRODSECBUG-2426: Cross-site scripting through store name (XSS) - CVE-2019-8128
Type: Cross-Site Scripting
CVSSv3 Severity: 5.5
Known Attacks: None
Description:

An authenticated user can inject malicious JavaScript into the name of the main website.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Max Chadwick
PRODSECBUG-2401: Cross-site scripting through customer attribute option values (XSS) - CVE-2019-8146
Type: Cross-Site Scripting
CVSSv3 Severity: 5.5
Known Attacks: None
Description:

An authenticated user can inject arbitrary JavaScript code when adding a new customer attribute for stores.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Max Chadwick
PRODSECBUG-2398: Cross-site scripting through customer attribute labels (XSS) - CVE-2019-8147
Type: Cross-Site Scripting
CVSSv3 Severity: 5.5
Known Attacks: None
Description:

An authenticated user can inject arbitrary JavaScript code through customer attribute labels.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Max Chadwick
PRODSECBUG-2392: Cross-site scripting through Page Builder banners (XSS) - CVE-2019-8148
Type: Cross-Site Scripting
CVSSv3 Severity: 5.5
Known Attacks: None
Description:

An authenticated admin user can inject arbitrary JavaScript code when creating a content page using Page Builder.

Product(s) Affected: Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.3.2-p1, Magento 2.3.3
Reporter: Internal employee
PRODSECBUG-2406: Cross-site scripting through the  payment method title (XSS) - CVE-2019-8142
Type: Cross-Site Scripting
CVSSv3 Severity: 5.5
Known Attacks: None
Description:

An authenticated user can inject arbitrary JavaScript code through the title of an order when configuring sales payment methods for a store.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Max Chadwick
PRODSECBUG-2425: Cross-site scripting through override of the Signifyd Guarantee Option translation (XSS) - CVE-2019-8129
Type: Cross-Site Scripting
CVSSv3 Severity: 5.5
Known Attacks: None
Description:

An authenticated user can inject an embedded expression into a translation.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Max Chadwick
PRODSECBUG-2390: Broken authentication and session management - CVE-2019-8149
Type: Broken Authentication
CVSSv3 Severity: 5.4
Known Attacks: None
Description:

An unauthenticated user can append an arbitrary session ID that will not be invalidated by subsequent authentication.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Internal employee
PRODSECBUG-2422: Cross-site scripting through  email template names (XSS) - CVE-2019-8132
Type: Cross-Site Scripting
CVSSv3 Severity: 5.4
Known Attacks: None
Description:

 An authenticated user can craft a malicious payload in the template Name field for email templates in the Design Configuration dashboard.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Max Chadwick
PRODSECBUG-2384: Stored cross-site scripting due to mishandling of HTML comments (XSS) - CVE-2019-8233
Type: Cross-Site Scripting
CVSSv3 Severity: 5.3
Known Attacks: None
Description:

An unauthenticated user can inject arbitrary JavaScript code as a result of the sanitization engine ignoring HTML comments.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Simon Scannell
PRODSECBUG-2290: Cross-site scripting through the Admin (XSS) - CVE-2019-8157
Type: Cross-Site Scripting
CVSSv3 Severity: 4.8
Known Attacks: None
Description:

Users with permission to edit products can inject an XSS payload when saving a product with a downloadable link.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Karim El Ouerghemmi
PRODSECBUG-2455: Stored cross-site scripting through the Product page's URL (XSS) - CVE-2019-8117
Type: Cross-Site Scripting
CVSSv3 Severity: 4.7
Known Attacks: None
Description:

An authenticated user can inject arbitrary JavaScript code throughthe product view ID specification.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Mike Eames
PRODSECBUG-2448: Cross-site scripting through the Admin dashboard (XSS) - CVE-2019-8120
Type: Cross-Site Scripting
CVSSv3 Severity: 4.4
Known Attacks: None
Description:

An authenticated user can inject arbitrary JavaScript code by manipulating a section of a POST request that is related to customer's email address.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Stefan Hesselman
PRODSECBUG-2344: Cross-site scripting through the WYSIWYG editor (XSS) - CVE-2019-8152
Type: Cross-Site Scripting
CVSSv3 Severity: 4
Known Attacks: None
Description:

An authenticated user with access to the WYSIWYG editor can abuse the blockDirective() function and inject malicious JavaScript in the cache of the Admin.

Product(s) Affected: Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219, Magento 2.2.10, Magenot 2.3.2-p1, Magento 2.3.3
Reporter: Simon Scannell
PRODSECBUG-2342: Cross-site scripting mitigation bypass (XSS) - CVE-2019-8153
Type: Security bypass
CVSSv3 Severity: 4
Known Attacks: None
Description:

An attacker can bypass the `escapeURL()` function and execute a malicious XSS payload.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Simon Scannell
PRODSECBUG-2489: Cross-site scripting during the preview of email templates (XSS) - CVE-2019-8092
Type: Cross-Site Scripting
CVSSv3 Severity: 4
Known Attacks: None
Description:

An authenticated user can inject arbitrary JavaScript code through email template preview.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Edgar Boda-Majer
PRODSECBUG-2272: XPath Injection through the storefront's rendering functionality - CVE-2019-8158
Type: XPath Injection vulnerability
CVSSv3 Severity: 3.7
Known Attacks: None
Description:

An attacker can craft a GET request to the page cache block rendering module that gets passed to the XML data processing engine without validation. The crafted key/value GET request data allows an attacker to limited access to the underlying XML data.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: External Pen-test
PRODSECBUG-2464: Use of weak cryptographic function - CVE-2019-8113
Type: Cryptographic flaw
CVSSv3 Severity: 3.7
Known Attacks: None
Description:

 A cryptographically weak random number generator permits a malicious user to use brute force to access the confirmation code for customer registration.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: rbsec
PRODSECBUG-2465: Bypass of user confirmation mechanism - CVE-2019-8112
Type: Security bypass
CVSSv3 Severity: 3.7
Known Attacks: None
Description:

 An unauthenticated user can bypass the email confirmation mechanism through a GET request that captures relevant account data obtained from the POST response that is related to new user creation.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Mohammad Saad
PRODSECBUG-2444: Missing logs of configuration changes related to design updates - CVE-2019-8124
Type: Insufficient logging and monitoring
CVSSv3 Severity: 3.3
Known Attacks: None
Description:

Failure to track administrative actions that are related to design configuration can lead to repudiation attacks.

Product(s) Affected: Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento 2.2.10, Magento 2.3.2-p1, Magento 2.3.3
Reporter: Internal employee
PRODSECBUG-2445: Insufficient logging and monitoring of configuration changes - CVE-2019-8123
Type: Insufficient logging and monitoring
CVSSv3 Severity: 3.3
Known Attacks: None
Description:

The logging feature that is required for effective monitoring did not contain sufficent data to effectively track configuration changes.

Product(s) Affected: Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219, Magento 2.2.10, Magenot 2.3.2-p1, Magento 2.3.3
Reporter: Internal employee

Please refer to
Security Best Practices for additional information on how to secure your site.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.