Lucene search

AdobeCVE-2020-24408

HistoryOct 16, 2020 - 3:15 p.m.

CVE-2020-24408

2020-10-1615:15:11

CWE-79

adobe

web.nvd.nist.gov

magento

xss

cve-2020-24408

nvd

persistent xss

file upload security vulnerability

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

35.7%

JSON

Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by a persistent XSS vulnerability that allows users to upload malicious JavaScript via the file upload component. This vulnerability could be abused by an unauthenticated attacker to execute XSS attacks against other Magento users. This vulnerability requires a victim to browse to the uploaded file.

Affected configurations

Nvd

Vulners

Node

magentomagentoRange≤2.3.4commerce

magentomagentoRange≤2.3.4open_source

magentomagentoMatch2.3.5-commerce

magentomagentoMatch2.3.5-open_source

magentomagentoMatch2.3.5p1commerce

magentomagentoMatch2.3.5p1open_source

magentomagentoMatch2.4.0commerce

magentomagentoMatch2.4.0open_source

VendorProductVersionCPE
magentomagento*cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*
magentomagento*cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*
magentomagento2.3.5cpe:2.3:a:magento:magento:2.3.5:-:*:*:commerce:*:*:*
magentomagento2.3.5cpe:2.3:a:magento:magento:2.3.5:-:*:*:open_source:*:*:*
magentomagento2.3.5cpe:2.3:a:magento:magento:2.3.5:p1:*:*:commerce:*:*:*
magentomagento2.3.5cpe:2.3:a:magento:magento:2.3.5:p1:*:*:open_source:*:*:*
magentomagento2.4.0cpe:2.3:a:magento:magento:2.4.0:*:*:*:commerce:*:*:*
magentomagento2.4.0cpe:2.3:a:magento:magento:2.4.0:*:*:*:open_source:*:*:*

Vendor	Product	Version	CPE
magento	magento	*	cpe:2.3:a:magento:magento:::::commerce:::*
magento	magento	*	cpe:2.3:a:magento:magento:::::open_source:::*
magento	magento	2.3.5	cpe:2.3:a:magento:magento:2.3.5:-:::commerce:::*
magento	magento	2.3.5	cpe:2.3:a:magento:magento:2.3.5:-:::open_source:::*
magento	magento	2.3.5	cpe:2.3:a:magento:magento:2.3.5:p1:::commerce:::*
magento	magento	2.3.5	cpe:2.3:a:magento:magento:2.3.5:p1:::open_source:::*
magento	magento	2.4.0	cpe:2.3:a:magento:magento:2.4.0::::commerce:::
magento	magento	2.4.0	cpe:2.3:a:magento:magento:2.4.0::::open_source:::

CNA Affected

[
  {
    "product": "Magento Commerce",
    "vendor": "Adobe",
    "versions": [
      {
        "lessThanOrEqual": "2.4.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "2.3.5p1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "None",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

helpx.adobe.com/security/products/magento/apsb20-59.html

Social References

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

35.7%

JSON

Related for CVE-2020-24408