Miggo Logo

CVE-2020-24406: Magento information disclosure vulnerability

3.7

CVSS Score
3.1

Basic Information

EPSS Score
0.37555%
Published
5/24/2022
Updated
1/11/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer< 2.3.62.3.6
magento/community-editioncomposer= 2.4.02.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from path disclosure during maintenance mode. Magento's maintenance mode implementation uses specific error templates and file handling logic. The 503.phtml template (rendered during maintenance) and maintenance mode file handlers are prime candidates for path leakage, as they might inadvertently expose server paths through debug information or environment variable usage. The medium confidence reflects the lack of direct access to patch details, but aligns with common patterns in PHP application vulnerabilities where error templates or maintenance handlers leak sensitive paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n in m*int*n*n** mo**, M***nto v*rsion *.*.* *n* *.*.* (*n* **rli*r) *r* *****t** *y *n in*orm*tion *is*losur* vuln*r**ility t**t *oul* *xpos* t** inst*ll*tion p*t* *urin* *uil* **ploym*nts. T*is in*orm*tion *oul* ** **lp*ul to *tt**k*rs i* t**y *

Reasoning

T** vuln*r**ility st*ms *rom p*t* *is*losur* *urin* m*int*n*n** mo**. M***nto's m*int*n*n** mo** impl*m*nt*tion us*s sp**i*i* *rror t*mpl*t*s *n* *il* **n*lin* lo*i*. T** `***.p*tml` t*mpl*t* (r*n**r** *urin* m*int*n*n**) *n* m*int*n*n** mo** *il* **