Miggo Logo
Miggo Vulnerability Database
CVE-2020-9689

CVE-2020-9689:
Magento path traversal vulnerability

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-9689
GHSA ID
GHSA-fr6f-xmfx-rrpq
EPSS Score
0.53096%
CWE
CWE-22
Published
5/24/2022
Updated
2/10/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer< 2.3.5-p22.3.5-p2
magento/project-community-editioncomposer<= 2.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on improper path validation in Magento's CMS WYSIWYG image handling (CWE-22). The commit referenced in GHSA/GitHub patch shows modifications to Cms module files related to image storage and folder deletion. Path traversal vulnerabilities in admin controllers handling file operations are common attack vectors for arbitrary file system access. The combination of user-controlled path inputs without proper sanitization in deletion operations would directly enable the described arbitrary code execution via file system manipulation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M***nto v*rsions *.*.*-p* *n* **rli*r, *n* *.*.*-p* *n* **rli*r **v* * p*t* tr*v*rs*l vuln*r**ility. Su***ss*ul *xploit*tion *oul* l*** to *r*itr*ry *o** *x**ution.

Reasoning

T** vuln*r**ility **nt*rs on improp*r p*t* v*li**tion in M***nto's *MS WYSIWY* im*** **n*lin* (*W*-**). T** *ommit r***r*n*** in **S*/*it*u* p*t** s*ows mo*i*i**tions to *ms mo*ul* *il*s r*l*t** to im*** stor*** *n* *ol**r **l*tion. P*t* tr*v*rs*l vu