A stored cross-site scripting (XSS) vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user can inject arbitrary Javascript code by manipulating section of a POST request related to customer's email address.

Affected Packages

Packagist magento/community-edition

Affected versions: 2.1.0 (fixed in 2.1.19)

Packagist magento/community-edition

Affected versions: 2.2.0 (fixed in 2.2.10)

Packagist magento/community-edition

Affected versions: 2.3.0 (fixed in 2.3.3)

Related CVEs

CVE-2019-8120

Key Information

GHSA ID

GHSA-985w-mqqp-7287

Published

May 24, 2022 5:00 PM

Last Modified

September 26, 2023 7:07 PM

CVSS Score

5.0 /10

Primary Ecosystem

Packagist

Primary Package

magento/community-edition

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 15, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.