9.1

CVE-2020-24407

Arbitrary code execution via file import functionality

Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MagentoMagento SwEditioncommerce Version < 2.3.5
MagentoMagento SwEditionopen_source Version < 2.3.5
MagentoMagento Version2.3.5 Update- SwEditioncommerce
MagentoMagento Version2.3.5 Update- SwEditionopen_source
MagentoMagento Version2.3.5 Updatep1 SwEditioncommerce
MagentoMagento Version2.3.5 Updatep1 SwEditionopen_source
MagentoMagento Version2.4.0 SwEditioncommerce
MagentoMagento Version2.4.0 SwEditionopen_source
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 3.06% 0.868
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.1 2.3 6
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
nvd@nist.gov 9 8 10
AV:N/AC:L/Au:S/C:C/I:C/A:C
psirt@adobe.com 9.1 2.3 6
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.