CVE-2019-7862: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

May 24, 2022 (updated July 17, 2023)

A reflected cross-site scripting vulnerability exists in the Product widget chooser functionality in the admin panel for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

References

github.com/advisories/GHSA-m3v2-r236-5xgq
nvd.nist.gov/vuln/detail/CVE-2019-7862
web.archive.org/web/20211206084839/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13

Code Behaviors & Features

Detect and mitigate CVE-2019-7862 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →