CVE-2020-24407 — Unrestricted File Upload in Magento

CWE-434 — Unrestricted File Upload4 documents4 sources

Severity

9.1CRITICALNVD

EPSS

3.7%

top 12.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Magento Magento Community-edition Adobe Magento Commerce +1 more

Timeline

PublishedNov 9

Latest updateMay 24

Description

Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages4 packages

▶NVDmagento/magento< 2.3.5+2

▶Packagistmagento/community-edition< 2.4.1

▶CVEListV5adobe/magento_commerceunspecified — 2.4.0+2

▶Packagistmagento/project-community-edition2.0.2

🔴Vulnerability Details

OSV

Magento 2 Community Edition RCE via Unsafe File Upload↗2022-05-24

▶

GHSA

Magento 2 Community Edition RCE via Unsafe File Upload↗2022-05-24

▶

CVEList

Arbitrary code execution via file import functionality↗2020-11-09

▶