Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03cHhnLTZwODctOGM5ds4AAmmL
Magento 2 Community Edition RCE via Unsafe File Upload
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components.
Permalink: https://github.com/advisories/GHSA-7pxg-6p87-8c9vJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03cHhnLTZwODctOGM5ds4AAmmL
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Identifiers: GHSA-7pxg-6p87-8c9v, CVE-2020-24407
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-24407
- https://helpx.adobe.com/security/products/magento/apsb20-59.html
- https://github.com/advisories/GHSA-7pxg-6p87-8c9v
Affected Packages
packagist:magento/community-edition
Dependent packages: 13Dependent repositories: 12
Downloads: 48,379 total
Affected Version Ranges: <= 2.4.0
Fixed in: 2.4.1
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.1.17, 2.1.18, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.4.0
All unaffected versions: 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7