CVE-2019-8227: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

May 24, 2022 (updated January 11, 2024)

In Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code via import / export functionality when creating profile action XML.

References

github.com/advisories/GHSA-j49x-jjmj-9fqj
nvd.nist.gov/vuln/detail/CVE-2019-8227
web.archive.org/web/20211209030216/https://magento.com/security/patches/supee-11219

Detect and mitigate CVE-2019-8227 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →