CVE-2019-7865 — Magento 2 Community Edition CSRF Vulnerability

Description

A cross-site request forgery (CSRF) vulnerability exists in the checkout cart item of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited at the time of editing or configuration.

How to fix CVE-2019-7865

To remediate CVE-2019-7865, upgrade the affected package to a fixed version below.

—upgrade to 2.1.18 or later
—upgrade to 2.1.18 or later

Is CVE-2019-7865 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 2.1.0, < 2.1.18
>= 2.1, < 2.1.18

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-7865
PATCHgithub.com/magento/magento2
WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7865.yaml
WEBmagento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33