Miggo Logo

CVE-2020-9576: Magento command injection vulnerability

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.86309%
Published
5/24/2022
Updated
2/10/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer>= 2.3.0, < 2.3.4-p22.3.4-p2
magento/community-editioncomposer< 2.2.122.2.12
magento/corecomposer< 1.9.4.51.9.4.5
magento/project-community-editioncomposer<= 2.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis focused on identifying functions that were modified in the security patches, particularly those related to input processing, session handling, and security controls. The changes in AccountManagement and the introduction of SessionCleaner suggest a focus on securing customer session handling. Modifications in other areas, such as mediaDirective, indicate fixes for potential path traversal or URL manipulation vulnerabilities.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M***nto v*rsions *.*.* *n* **rli*r, *.*.** *n* **rli*r (s** not*), *.**.*.* *n* **rli*r, *n* *.*.*.* *n* **rli*r **v* * *omm*n* inj**tion vuln*r**ility. Su***ss*ul *xploit*tion *oul* l*** to *r*itr*ry *o** *x**ution.

Reasoning

T** *n*lysis *o*us** on i**nti*yin* *un*tions t**t w*r* mo*i*i** in t** s**urity p*t***s, p*rti*ul*rly t*os* r*l*t** to input pro**ssin*, s*ssion **n*lin*, *n* s**urity *ontrols. T** ***n**s in ***ountM*n***m*nt *n* t** intro*u*tion o* S*ssion*l**n*r