CVE-2024-20720 – magento/project-community-edition

Package

Manager: composer
Name: magento/project-community-edition
Vulnerable Version: >=0 <=2.0.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U

EPSS: 0.04818 pctl0.89088

Details

Magento Open Source allows OS Command Injection Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction.

Metadata

Created: 2024-02-15T15:30:29Z
Modified: 2025-03-04T18:52:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-525f-pvj5-vqmq/GHSA-525f-pvj5-vqmq.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-525f-pvj5-vqmq
Finding: F404
Auto approve: 1