-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| magento/community-edition | composer | >= 2.2.0, < 2.2.11 | 2.2.11 |
| magento/community-edition | composer | >= 2.3.0, < 2.3.4 | 2.3.4 |
Miggo AIRoot Cause AnalysisThe CVE-2020-3716 explicitly references deserialization of untrusted data (CWE-502). PHP's unserialize() function is inherently risky when applied to user-controlled input, as it can execute code during object instantiation. Magento's patch likely replaced unsafe unserialize() calls with safer alternatives (e.g., json_decode()) or implemented allow-list restrictions for classes during deserialization. While the exact file paths and context aren't provided in the advisory, the root cause is unequivocally tied to unserialize() usage on untrusted data, a common pattern in PHP deserialization vulnerabilities.
PHPPHPOngoing coverage of React2Shell