CVE-2020-24406
Document root path disclosure on Maintenance page
3.7
LOW
CVSS 3.1
EPSS 0.29%
Description
When in maintenance mode, Magento version 2.4.0 and 2.3.4 (and earlier) are affected by an information disclosure vulnerability that could expose the installation path during build deployments. This information could be helpful to attackers if they are able to identify other exploitable vulnerabilities in the environment.
How to fix CVE-2020-24406
To remediate CVE-2020-24406, upgrade the affected package to a fixed version below.
- —upgrade to 2.3.5 or later
- —upgrade to 2.3.6 or later
Is CVE-2020-24406 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.3.5, >= 2.4.0, < 2.4.1
- from 0, < 2.3.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |