Magento Commerce@* Security Vulnerabilities and Issues — Magento Commerce@* CVE List

Lucene search

AdobeMagento Commerce*

9 matches found

CVE•added 2020/11/09 1:15 a.m.•383 views

CVE-2020-24407

Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components.

9.1CVSS9.1AI score0.02087EPSS

CVE•added 2020/11/09 1:15 a.m.•195 views

CVE-2020-24400

Magento versions 2.4.0 and 2.3.5 (and earlier) are affected by an SQL Injection vulnerability that could lead to sensitive information disclosure. This vulnerability could be exploited by an authenticated user with permissions to the product listing page to read data from the database.

7.1CVSS6.6AI score0.00189EPSS

CVE•added 2020/11/09 1:15 a.m.•107 views

CVE-2020-24405

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions issue vulnerability in the Inventory module. This vulnerability could be abused by authenticated users to modify inventory stock data without authorization.

4.3CVSS3.8AI score0.00124EPSS

CVE•added 2020/11/09 1:15 a.m.•69 views

CVE-2020-24401

Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user's account.

6.5CVSS6.2AI score0.00284EPSS

CVE•added 2020/10/16 3:15 p.m.•68 views

CVE-2020-24408

Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by a persistent XSS vulnerability that allows users to upload malicious JavaScript via the file upload component. This vulnerability could be abused by an unauthenticated attacker to execute XSS attacks against other Magento users. This ...

6.1CVSS6.2AI score0.01321EPSS

CVE•added 2020/11/09 1:15 a.m.•66 views

CVE-2020-24402

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorizati...

5.5CVSS4.6AI score0.00191EPSS

CVE•added 2020/11/09 1:15 a.m.•57 views

CVE-2020-24406

When in maintenance mode, Magento version 2.4.0 and 2.3.4 (and earlier) are affected by an information disclosure vulnerability that could expose the installation path during build deployments. This information could be helpful to attackers if they are able to identify other exploitable vulnerabili...

4.3CVSS3.8AI score0.0016EPSS

CVE•added 2020/11/09 1:15 a.m.•54 views

CVE-2020-24403

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the R...

4CVSS2.3AI score0.00273EPSS

CVE•added 2020/11/09 1:15 a.m.•50 views

CVE-2020-24404

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization.

5.5CVSS3.5AI score0.00275EPSS