CVE-2020-24408Cross-site Scripting in Magento Community-edition

CWE-79Cross-site Scripting4 documents4 sources
Severity
6.1MEDIUMNVD
EPSS
1.3%
top 20.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Magento Community-editionAdobe Magento CommerceMagento
Timeline
PublishedOct 16
Latest updateMay 24

Description

Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by a persistent XSS vulnerability that allows users to upload malicious JavaScript via the file upload component. This vulnerability could be abused by an unauthenticated attacker to execute XSS attacks against other Magento users. This vulnerability requires a victim to browse to the uploaded file.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

Packagistmagento/community-edition< 2.4.1
NVDmagento/magento2.3.4+2
CVEListV5adobe/magento_commerceunspecified2.4.0+2

🔴Vulnerability Details

3
OSV
Magento 2 Community Edition XSS Vulnerability2022-05-24
GHSA
Magento 2 Community Edition XSS Vulnerability2022-05-24
CVEList
Stored XSS in customer address upload feature2020-10-16
CVE-2020-24408 — Cross-site Scripting in Magento | cvebase