📚 [PRODSECBUG-2337/PRODSECBUG-2307] Stored cross-site scripting in the catalog templates form - CVE-2019-7921 / Insufficient enforcement of user access controls could lead to unauthorized environment configuration changes - CVE-2019-7904

🕛 Zeit seit Veröffentlichung: 1266 Tage, 23 Stunden 4 Minuten
📆 Veröffentlicht am: 26.10.2020 um 10:44 Uhr
💡 Newskategorie: Sicherheitslücken
🔗 Quelle: portal.patchman.co

PRODSECBUG-2337: A stored cross-site scripting vulnerability existed in the product catalog form. This could be exploited by an authenticated user with privileges to the product catalog to inject malicious javascript.

PRODSECBUG-2307: Insufficient enforcement of user access controls could be abused by a low-privileged user to make unauthorized environment configuration changes, such as removing security controls.

Part of update Magento 2.3.2, 2.2.9 and 2.1.18 Security Update 2/3

This vulnerability affects the following application versions:

Magento 2.0.0
Magento 2.0.1
Magento 2.0.2
Magento 2.0.3
Magento 2.0.4
Magento 2.0.5
Magento 2.0.6
Magento 2.0.7
Magento 2.0.8
Magento 2.0.9
Magento 2.0.10
Magento 2.0.11
Magento 2.0.12
Magento 2.0.13
Magento 2.0.14
Magento 2.0.15
Magento 2.0.16
Magento 2.0.17
Magento 2.0.18
Magento 2.1.0
Magento 2.1.1
Magento 2.1.2
Magento 2.1.3
Magento 2.1.4
Magento 2.1.5
Magento 2.1.6
Magento 2.1.7
Magento 2.1.8
Magento 2.1.9
Magento 2.1.10
Magento 2.1.11
Magento 2.1.12
Magento 2.1.13
Magento 2.1.14
Magento 2.1.15
Magento 2.1.16
Magento 2.1.17
Magento 2.2.0
Magento 2.2.1
Magento 2.2.2
Magento 2.2.3
Magento 2.2.4
Magento 2.2.5
Magento 2.2.6
Magento 2.2.7
Magento 2.2.8
Magento 2.2.11
Magento 2.3.0
Magento 2.3.1

...

Sharing is caring on Social Media

Join the Team IT Security Community

📌 Bugtraq: [security bulletin] HPSBUX03574 rev.1 - HPE HP-UX CIFS-Server (Samba), Remote Access Restriction Bypass, Authentication bypass, Denial of Service (DoS), Unauthorized Access to Files, Access Restriction Bypass, Unauthorized Information Disclo

🕛 2895 Tage, 22 Stunden 25 Minuten
📆 00.00.0000 um 00:00 Uhr
📈 43 Punkte

📌 Bugtraq: [security bulletin] HPSBUX03574 rev.1 - HPE HP-UX CIFS-Server (Samba), Remote Access Restriction Bypass, Authentication bypass, Denial of Service (DoS), Unauthorized Access to Files, Access Restriction Bypass, Unauthorized Information Disclo

🕛 2895 Tage, 22 Stunden 25 Minuten
📆 00.00.0000 um 00:00 Uhr
📈 43 Punkte

📌 WordPress Royal Elementor 1.3.59 XSS / CSRF / Insufficient Access Controls

🕛 459 Tage, 16 Stunden 3 Minuten
📆 11.01.2023 um 16:47 Uhr
📈 31.94 Punkte

📌 Catching Configuration Changes that Can Lead to Data Exposure

🕛 1966 Tage, 3 Stunden 32 Minuten
📆 27.11.2018 um 05:01 Uhr
📈 29.97 Punkte

📌 Two flaws that could lead to Potential lead to RCE fixed by OpenSSL project team

🕛 647 Tage, 0 Stunden 15 Minuten
📆 08.07.2022 um 11:29 Uhr
📈 28.85 Punkte

📌 Cgiscript.net csMailto csMailto.cgi form-to/form-from/form-results privilege escalation

🕛 1729 Tage, 16 Stunden 9 Minuten
📆 21.07.2019 um 16:28 Uhr
📈 28.52 Punkte

📌 Bugtraq: [security bulletin] HPESBHF03741 rev.1 - HPE Network products including Comware 7, IMC, and VCX running OpenSSL, Local Unauthorized Disclosure of Information, Remote Denial of Service (DoS), Unauthorized Disclosure of Information

🕛 2539 Tage, 0 Stunden 44 Minuten
📆 03.05.2017 um 09:04 Uhr
📈 28.51 Punkte

📌 Bugtraq: [security bulletin] HPESBMU03806 rev.1 - HPE IceWall Products, Multiple Remote Unauthorized Disclosure of Information, Unauthorized Modificiation

🕛 2278 Tage, 18 Stunden 11 Minuten
📆 18.01.2018 um 15:37 Uhr
📈 28.51 Punkte

📌 ZTE ZXDSL 831 Unauthorized Configuration Access Bypass

🕛 2329 Tage, 17 Stunden 29 Minuten
📆 27.11.2017 um 14:22 Uhr
📈 28.03 Punkte

📌 ZTE ZXDSL 831 Unauthorized Configuration Access Bypass

🕛 2329 Tage, 17 Stunden 25 Minuten
📆 27.11.2017 um 14:22 Uhr
📈 28.03 Punkte

📌 LinkedIn: Unauthorized access to resumes stored on LinkedIn

🕛 494 Tage, 13 Stunden 46 Minuten
📆 17.11.2022 um 18:40 Uhr
📈 27.89 Punkte

📌 Demystifying ARM Templates: Intro to ARM Templates | The DevOps Lab

🕛 1391 Tage, 9 Stunden 17 Minuten
📆 23.06.2020 um 16:00 Uhr
📈 27.59 Punkte

📌 Configuration as Code Plugin up to 1.24 on Jenkins Configuration Import Environment Variable information disclosure

🕛 1367 Tage, 20 Stunden 1 Minuten
📆 17.07.2020 um 09:13 Uhr
📈 27.55 Punkte

📌 Added escaping to admin templates for the catalog module to avoid XSS

🕛 678 Tage, 2 Stunden 42 Minuten
📆 21.07.2021 um 16:40 Uhr
📈 27.44 Punkte

📌 Added escaping to elements in the frontend templates for the catalog module to avoid XSS

🕛 678 Tage, 2 Stunden 42 Minuten
📆 19.07.2021 um 12:59 Uhr
📈 27.44 Punkte

📌 Xpdf 4.02 Catalog.cc Catalog.pageLabels NULL Pointer Dereference denial of service

🕛 1304 Tage, 22 Stunden 31 Minuten
📆 18.09.2020 um 10:25 Uhr
📈 27.29 Punkte

📌 [PRODSECBUG-2162] Unauthorized data control due to a bypass of authentication controls for a customer using a web API endpoint

🕛 1600 Tage, 8 Stunden 16 Minuten
📆 27.11.2019 um 10:27 Uhr
📈 26 Punkte

📌 NordVPN: Unauthorized User Can Delete Any User Account

🕛 1480 Tage, 17 Stunden 15 Minuten
📆 24.02.2020 um 09:51 Uhr
📈 25.86 Punkte

📌 Microsoft Azure Services Flaws Could've Exposed Cloud Resources to Unauthorized Access

🕛 453 Tage, 17 Stunden 3 Minuten
📆 17.01.2023 um 15:12 Uhr
📈 25.47 Punkte

📌 Design Flaw in Google Workspace Could Let Attackers Gain Unauthorized Access

🕛 138 Tage, 19 Stunden 44 Minuten
📆 28.11.2023 um 13:34 Uhr
📈 25.47 Punkte

📌 XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access

🕛 31 Tage, 1 Stunden 18 Minuten
📆 30.03.2024 um 01:07 Uhr
📈 25.47 Punkte

📌 Frost Bank Detects Unauthorized Access that Could Have Exposed Check Images

🕛 2217 Tage, 22 Stunden 33 Minuten
📆 20.03.2018 um 11:14 Uhr
📈 25.47 Punkte

📌 Stops Core Theme And Plugin Updates < 8.0.5 - Insufficient Restrictions on Option Changes

🕛 1691 Tage, 12 Stunden 16 Minuten
📆 27.08.2019 um 16:40 Uhr
📈 25.16 Punkte

📌 [APPSEC-1825] PHP Object Injection in E-mail templates lead to Remote Code Execution

🕛 1692 Tage, 2 Stunden 15 Minuten
📆 13.08.2019 um 09:56 Uhr
📈 25.02 Punkte

📌 Twitter Bug That Enables Third-party apps to get Unauthorized Access to User’s Direct Messages

🕛 1946 Tage, 5 Stunden 3 Minuten
📆 17.12.2018 um 03:55 Uhr
📈 24.89 Punkte

📌 Dropcontact: IDOR at [https://dropcontact.firstpromote] which allows an UNAUTHORIZED user to ACCESS and EDIT Paypal GMAIL by Changing the ID.

🕛 1334 Tage, 15 Stunden 0 Minuten
📆 16.08.2020 um 04:35 Uhr
📈 24.89 Punkte

📌 Unauthorized user access in backend module

🕛 678 Tage, 2 Stunden 42 Minuten
📆 30.08.2021 um 14:47 Uhr
📈 24.89 Punkte

📌 Suppose you are in a corporate network environment and often times find yourself manually setting/unsetting the HTTP_PROXY environment variable in order to access different hosts. Sounds familiar? In this case, dePAC might help you!

🕛 1764 Tage, 17 Stunden 48 Minuten
📆 16.06.2019 um 14:33 Uhr
📈 24.14 Punkte

📌 Upcoming iOS Access Restrictions Could Stymie Law Enforcement

🕛 2129 Tage, 19 Stunden 16 Minuten
📆 16.06.2018 um 14:00 Uhr
📈 24.11 Punkte

📌 Eggheads show how network flaw could lead to NASA crew pod loss. Key word: Could

🕛 516 Tage, 4 Stunden 46 Minuten
📆 16.11.2022 um 00:45 Uhr
📈 24.01 Punkte

📌 Bugtraq: [security bulletin] HPSBUX03596 rev.1 - HPE HP-UX running CIFS Server (Samba), Remote Access Restriction Bypass, Unauthorized Access

🕛 2895 Tage, 22 Stunden 25 Minuten
📆 00.00.0000 um 00:00 Uhr
📈 23.91 Punkte

📌 Bugtraq: [security bulletin] HPSBGN03638 rev.1 - HPE Remote Device Access: Virtual Customer Access System (vCAS) using lighttpd and OpenSSH, Unauthorized Modification of Information, Remote Denial of Service (DoS), Remote Disclosure of Information

🕛 2785 Tage, 0 Stunden 48 Minuten
📆 30.08.2016 um 09:00 Uhr
📈 23.91 Punkte

📌 Bugtraq: [security bulletin] HPSBGN03645 rev.2 - HPE Helion OpenStack Glance, Remote Access Restriction Bypass, Unauthorized Access

🕛 2761 Tage, 23 Stunden 48 Minuten
📆 22.09.2016 um 10:00 Uhr
📈 23.91 Punkte