9.8

CVSS Score

Basic Information

CVE ID

CVE-2020-3716

GHSA ID

GHSA-9wc9-498w-h8xv

EPSS Score

CWE

CWE-502

Published

5/24/2022

Updated

1/10/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-3716

CVE-2020-3716:
Magento deserialization vulnerability

Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.

(GitHub Advisory)

9.8

CVSS Score

Basic Information

CVE ID

CVE-2020-3716

GHSA ID

GHSA-9wc9-498w-h8xv

EPSS Score

CWE

CWE-502

Published

5/24/2022

Updated

1/10/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
magento/community-edition	composer	>= 2.2.0, < 2.2.11	2.2.11
magento/community-edition	composer	>= 2.3.0, < 2.3.4	2.3.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The CVE-2020-3716 explicitly references deserialization of untrusted data (CWE-502). PHP's unserialize() function is inherently risky when applied to user-controlled input, as it can execute code during object instantiation. Magento's patch likely replaced unsafe unserialize() calls with safer alternatives (e.g., json_decode()) or implemented allow-list restrictions for classes during deserialization. While the exact file paths and context aren't provided in the advisory, the root cause is unequivocally tied to unserialize() usage on untrusted data, a common pattern in PHP deserialization vulnerabilities.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M***nto v*rsions *.*.* *n* **rli*r, *.*.** *n* **rli*r, *.**.*.* *n* **rli*r, *n* *.*.*.* *n* **rli*r **v* * **s*ri*liz*tion o* untrust** **t* vuln*r**ility. Su***ss*ul *xploit*tion *oul* l*** to *r*itr*ry *o** *x**ution.

Reasoning

T** *V*-****-**** *xpli*itly r***r*n**s **s*ri*liz*tion o* untrust** **t* (*W*-***). P*P's uns*ri*liz*() *un*tion is in**r*ntly risky w**n *ppli** to us*r-*ontroll** input, *s it **n *x**ut* *o** *urin* o*j**t inst*nti*tion. M***nto's p*t** lik*ly r*

9.8

Basic Information

Concerned about an active attack path?

CVE-2020-3716: Magento deserialization vulnerability

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-3716:
Magento deserialization vulnerability

Vulnerability Intelligence
Miggo AI