CVE-2020-24408 – magento/community-edition

Package

Manager: composer
Name: magento/community-edition
Vulnerable Version: >=0 <2.4.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01321 pctl0.79107

Details

Magento 2 Community Edition XSS Vulnerability Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by a persistent XSS vulnerability that allows users to upload malicious JavaScript via the file upload component. This vulnerability could be abused by an unauthenticated attacker to execute XSS attacks against other Magento users. This vulnerability requires a victim to browse to the uploaded file.

Metadata

Created: 2022-05-24T17:31:03Z
Modified: 2023-08-23T17:58:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jxjc-6xmh-h7mg/GHSA-jxjc-6xmh-h7mg.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-jxjc-6xmh-h7mg
Finding: F425
Auto approve: 1