⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2024-20720OS Command Injection in Adobe Commerce

CWE-78OS Command Injection6 documents6 sources
Severity
9.1CRITICALNVD
EPSS
7.2%
top 8.38%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
4
Magento Community-editionAdobe CommerceMagento Project-community-edition+1 more
Timeline
PublishedFeb 15

Description

Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages4 packages

CVEListV5adobe/adobe_commerce2.4.4-p6
NVDadobe/commerce2.4.4, 2.4.5, 2.4.6+2
Packagistmagento/community-edition2.4.6-p12.4.6-p4+2

🔴Vulnerability Details

4
CVEList
Command injection in data collector backup due to insufficient patching of CVE-2023-382082024-02-15
GHSA
Magento Open Source allows OS Command Injection2024-02-15
OSV
Magento Open Source allows OS Command Injection2024-02-15
VulnCheck
Adobe commerce Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')2024

🕵️Threat Intelligence

1
Threat Intel
ScreamedJungle
CVE-2024-20720 — OS Command Injection in Adobe Commerce | cvebase