CVE-2024-20759Cross-site Scripting in Adobe Commerce

CWE-79Cross-site Scripting4 documents4 sources
Severity
8.1HIGHNVD
EPSS
1.6%
top 18.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Magento Community-editionAdobe CommerceMagento Project-community-edition+2 more
Timeline
PublishedApr 10

Description

Adobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Confidentiality and integrity are considered high due to having admin impact.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:NExploitability: 1.7 | Impact: 5.8

Affected Packages5 packages

CVEListV5adobe/adobe_commerce2.4.7-beta3
NVDadobe/commerce9 versions+8
NVDadobe/magento4 versions+3
Packagistmagento/community-edition2.4.7-beta12.4.7+3

🔴Vulnerability Details

3
GHSA
Magento Open Source allows Cross-Site Scripting (XSS)2024-04-10
CVEList
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)2024-04-10
OSV
Magento Open Source allows Cross-Site Scripting (XSS)2024-04-10
CVE-2024-20759 — Cross-site Scripting in Adobe Commerce | cvebase