CVE-2020-24400SQL Injection in Magento

CWE-89SQL Injection4 documents4 sources
Severity
7.1HIGHNVD
EPSS
0.3%
top 50.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
MagentoMagento Community-editionAdobe Magento Commerce
Timeline
PublishedNov 9
Latest updateMay 24

Description

Magento versions 2.4.0 and 2.3.5 (and earlier) are affected by an SQL Injection vulnerability that could lead to sensitive information disclosure. This vulnerability could be exploited by an authenticated user with permissions to the product listing page to read data from the database.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:NExploitability: 2.8 | Impact: 4.2

Affected Packages3 packages

NVDmagento/magento< 2.3.5+2
Packagistmagento/community-edition2.4.02.4.1+1
CVEListV5adobe/magento_commerceunspecified2.4.0+2

🔴Vulnerability Details

3
OSV
Magento SQL Injection vulnerability2022-05-24
GHSA
Magento SQL Injection vulnerability2022-05-24
CVEList
SQL injection allows arbitrary read from database2020-11-09
CVE-2020-24400 — SQL Injection in Magento | cvebase