CVE-2020-24408
Stored XSS in customer address upload feature
6.1
MEDIUM
CVSS 3.1
EPSS 1.3%
Description
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by a persistent XSS vulnerability that allows users to upload malicious JavaScript via the file upload component. This vulnerability could be abused by an unauthenticated attacker to execute XSS attacks against other Magento users. This vulnerability requires a victim to browse to the uploaded file.
How to fix CVE-2020-24408
To remediate CVE-2020-24408, upgrade the affected package to a fixed version below.
- —upgrade to 2.3.6 or later
- —upgrade to 2.4.1 or later
Is CVE-2020-24408 being exploited?
Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.3.6, >= 2.4.0, < 2.4.1
- from 0, < 2.4.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |