CVE-2019-7944

medium

Description

A stored cross-site scripting vulnerability exists in the product comments field of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the Return Product comments field can inject malicious javascript.

References

https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-24

https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23

Details

Source: Mitre, NVD

Published: 2019-08-02

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 3.5

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

Severity: Low

CVSS v3

Base Score: 5.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00089