A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to store product attributes to inject malicious javascript.

Affected Packages

Packagist magento/community-edition

Affected versions: 2.1.0 (fixed in 2.1.18)

Packagist magento/community-edition

Affected versions: 2.2.0 (fixed in 2.2.9)

Packagist magento/community-edition

Affected versions: 2.3.0 (fixed in 2.3.2)

Related CVEs

CVE-2019-7937

Key Information

GHSA ID

GHSA-94fc-rxhv-vvf8

Published

May 24, 2022 4:52 PM

Last Modified

February 12, 2024 11:48 AM

CVSS Score

5.0 /10

Primary Ecosystem

Packagist

Primary Package

magento/community-edition

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 19, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.