Description

Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by a persistent XSS vulnerability that allows users to upload malicious JavaScript via the file upload component. This vulnerability could be abused by an unauthenticated attacker to execute XSS attacks against other Magento users. This vulnerability requires a victim to browse to the uploaded file.

Remediation

References

CVE-2020-24408

Related Vulnerabilities

WordPress Plugin WordPoints Multiple Vulnerabilities (1.7.0)

WordPress Plugin Profile Builder-User Profile & User Registration Forms Cross-Site Request Forgery (3.6.4)

WordPress Improper Input Validation Vulnerability (CVE-2011-3127)

Piwigo Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2017-17775)

WordPress Server-Side Request Forgery (SSRF) Vulnerability (CVE-2017-9066)

Severity

Medium

Classification

CVE-2020-24408 CWE-707 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Tags

Missing Update Known Vulnerabilities