CVE-2019-7849

EPSS 0.05%
Veröffentlicht 02.08.2019 22:15:14
Zuletzt bearbeitet 21.11.2024 04:48:51
Quelle psirt@adobe.com
CVE-Watchlists
Login
Unerledigt
Login

A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules. This impacts Magento 1.x prior to 1.9.4.2, Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to 2.3.2.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Magento ≫ Magento SwEditioncommerce Version < 1.14.4.2

Magento ≫ Magento SwEditionopen_source Version >= 1.0.0 < 1.9.4.2

Magento ≫ Magento SwEditionopen_source Version >= 2.1.0 < 2.1.18

Magento ≫ Magento SwEditionopen_source Version >= 2.2.0 < 2.2.9

Magento ≫ Magento SwEditionopen_source Version >= 2.3.0 < 2.3.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.115

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-384 Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-7849

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-7849

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-7849

EUVD