Skip to main content

Magento CVE-2019-7923

HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2019-08-02 psirt@adobe.com
7.2
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Aug 02, 2019 - 22:15 nvd
HIGH 7.2

DescriptionNVD

A server-side request forgery (SSRF) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by authenticated user with admin privileges to manipulate shipment settings to execute arbitrary code.

AnalysisAI

A server-side request forgery (SSRF) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918), which allows attackers to make the server perform requests to unintended internal or external resources. A server-side request forgery (SSRF) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by authenticated user with admin privileges to manipulate shipment settings to execute arbitrary code. Affected products include: Magento. Version information: prior to 2.1.18.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and allowlist destination URLs, block requests to internal networks, use network segmentation.

CVE-2016-4010 CRITICAL POC
9.8 Jan 23

Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary

CVE-2015-1397 MEDIUM POC
6.5 Apr 29

SQL injection vulnerability in the getCsvFile function in the Mage_Adminhtml_Block_Widget_Grid class in Magento Communit

CVE-2024-34102 CRITICAL POC
9.8 Jun 13

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML E

CVE-2015-1398 MEDIUM POC
6.5 Apr 29

Multiple directory traversal vulnerabilities in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.

CVE-2019-7139 CRITICAL POC
9.8 Apr 10

An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which ca

CVE-2020-8818 HIGH POC
8.1 Feb 25

An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Rated high severity (CVSS 8.1), th

CVE-2023-41879 HIGH POC
7.5 Sep 11

Magento LTS is the official OpenMage LTS codebase. Rated high severity (CVSS 7.5), this vulnerability is remotely exploi

CVE-2015-1399 MEDIUM POC
6.5 Apr 29

PHP remote file inclusion vulnerability in the fetchView function in the Mage_Core_Block_Template_Zend class in Magento

CVE-2015-3458 MEDIUM POC
6.5 Apr 29

The fetchView function in the Mage_Core_Block_Template_Zend class in Magento Community Edition (CE) 1.9.1.0 and Enterpri

CVE-2014-9758 MEDIUM POC
6.1 Sep 20

Cross-site scripting (XSS) vulnerability in Magento E-Commerce Platform 1.9.0.1. Rated medium severity (CVSS 6.1), this

CVE-2015-8707 CRITICAL
9.8 Sep 26

Password reset tokens in Magento CE before 1.9.2.2, and Magento EE before 1.14.2.2 are passed via a GET request and not

CVE-2024-45115 CRITICAL
9.8 Oct 10

Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authentication v

Share

CVE-2019-7923 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy