CVE-2020-24407 – magento/project-community-edition

Package

Manager: composer
Name: magento/project-community-edition
Vulnerable Version: >=0 <=2.0.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.02499 pctl0.84765

Details

Magento 2 Community Edition RCE via Unsafe File Upload Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components.

Metadata

Created: 2022-05-24T17:33:56Z
Modified: 2025-02-10T20:43:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7pxg-6p87-8c9v/GHSA-7pxg-6p87-8c9v.json
CWE IDs: ["CWE-434"]
Alternative ID: GHSA-7pxg-6p87-8c9v
Finding: F027
Auto approve: 1