Description

Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by a persistent XSS vulnerability that allows users to upload malicious JavaScript via the file upload component. This vulnerability could be abused by an unauthenticated attacker to execute XSS attacks against other Magento users. This vulnerability requires a victim to browse to the uploaded file.

Remediation

References

CVE-2020-24408

Related Vulnerabilities

Jetty Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2024-22201)

WebLogic Loop with Unreachable Exit Condition ('Infinite Loop') Vulnerability (CVE-2018-1324)

WordPress Plugin BuddyPress Cross-Site Scripting (2.2.2.1)

WordPress Plugin MW Font Changer Cross-Site Scripting (4.2.5)

Plone CMS Permissions, Privileges, and Access Controls Vulnerability (CVE-2011-4030)

Severity

Medium

Classification

CVE-2020-24408 CWE-707 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities