Miggo Logo

CVE-2020-9582: Magento command injection vulnerability

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.85739%
Published
5/24/2022
Updated
2/10/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer>= 2.3.0, < 2.3.4-p22.3.4-p2
magento/community-editioncomposer< 2.2.122.2.12
magento/corecomposer< 1.9.4.51.9.4.5
magento/project-community-editioncomposer<= 2.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided vulnerability information identifies the existence of a command injection vulnerability (CWE-78) but does not include specific code examples, patch diffs, or file paths that would allow precise identification of vulnerable functions. While the advisory confirms the vulnerability pattern (OS command injection via improper input sanitization), Magento's implementation could involve multiple potential entry points like PHP's exec()/shell_exec() in controllers or service classes. However, without concrete evidence from commit history or patch details, we cannot confidently specify exact function names and their locations. The vulnerability likely stems from user-controlled input being passed unsanitized to command execution functions in modules handling admin operations or system commands, but this remains speculative without code-level evidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M***nto v*rsions *.*.* *n* **rli*r, *.*.** *n* **rli*r (s** not*), *.**.*.* *n* **rli*r, *n* *.*.*.* *n* **rli*r **v* * *omm*n* inj**tion vuln*r**ility. Su***ss*ul *xploit*tion *oul* l*** to *r*itr*ry *o** *x**ution.

Reasoning

T** provi*** vuln*r**ility in*orm*tion i**nti*i*s t** *xist*n** o* * *omm*n* inj**tion vuln*r**ility (*W*-**) *ut *o*s not in*lu** sp**i*i* *o** *x*mpl*s, p*t** *i**s, or *il* p*t*s t**t woul* *llow pr**is* i**nti*i**tion o* vuln*r**l* *un*tions. W*i