AttackerKBAKB:42F5FB3C-23E1-4765-87C8-CC074AA81F28CVE-2020-9691
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a dom-based cross-site scripting vulnerability. Successful exploitation could lead to arbitrary code execution.
Recent assessments:
ericalexanderorg at August 03, 2020 6:46pm UTC reported:
Not enough data ATM to accurately talk risk, but there’s some concerning factors. Taking an educated guess an value & exploitability.
> dom-based cross-site scripting
>
> CVSS PR:N – No authentication required
>
> Magento v1 just hit EOL and this patch is only v2. It’s not going to be a simple patch operation for many as they navigate dependencies from the v1 to v2 jump.
>
> Magento put the mage in magecart – it’s a popular target
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 2
Related
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C