Miggo Logo
Miggo Vulnerability Database
CVE-2020-24408

CVE-2020-24408: Magento 2 Community Edition XSS Vulnerability

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-24408
GHSA ID
GHSA-jxjc-6xmh-h7mg
EPSS Score
0.78973%
CWE
CWE-79
Published
5/24/2022
Updated
9/7/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer<= 2.4.02.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided vulnerability information describes a persistent XSS via file upload in Magento, but the GitHub patch and commit diff details are explicitly marked as unavailable. While the vulnerability clearly involves improper input neutralization (CWE-79) in the file upload component, the lack of specific code references or patching details makes it impossible to confidently identify exact vulnerable functions. The description suggests the issue lies in insufficient validation/sanitization during file upload handling and improper output encoding when serving files, but without concrete code examples or patch comparisons, we cannot reliably map this to specific functions in Magento's codebase with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M***nto v*rsions *.*.* *n* *.*.*p* (*n* **rli*r) *r* *****t** *y * p*rsist*nt XSS vuln*r**ility t**t *llows us*rs to uplo** m*li*ious J*v*S*ript vi* t** *il* uplo** *ompon*nt. T*is vuln*r**ility *oul* ** **us** *y *n un*ut**nti**t** *tt**k*r to *x**u

Reasoning

T** provi*** vuln*r**ility in*orm*tion **s*ri**s * p*rsist*nt XSS vi* *il* uplo** in M***nto, *ut t** *it*u* p*t** *n* *ommit *i** **t*ils *r* *xpli*itly m*rk** *s un*v*il**l*. W*il* t** vuln*r**ility *l**rly involv*s improp*r input n*utr*liz*tion (*