CVE-2019-8228: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

May 24, 2022 (updated July 18, 2023)

in Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code into transactional email page when creating a new email template or editing existing email template.

References

github.com/advisories/GHSA-988g-wfwf-5666
nvd.nist.gov/vuln/detail/CVE-2019-8228
web.archive.org/web/20211209030216/https://magento.com/security/patches/supee-11219

Detect and mitigate CVE-2019-8228 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →