8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-20759

GHSA ID

GHSA-59vf-hjxc-f9c5

EPSS Score

0.69588%

CWE

CWE-79

Published

4/10/2024

Updated

3/4/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-20759

CVE-2024-20759: Magento Open Source allows Cross-Site Scripting (XSS)

Adobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Confidentiality and integrity are considered high due to having admin impact.

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-20759

GHSA ID

GHSA-59vf-hjxc-f9c5

EPSS Score

0.69588%

CWE

CWE-79

Published

4/10/2024

Updated

3/4/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
magento/community-edition	composer	= 2.4.6
magento/community-edition	composer	= 2.4.5
magento/community-edition	composer	= 2.4.4
magento/community-edition	composer	>= 2.4.7-beta1, <= 2.4.7-beta3	2.4.7
magento/community-edition	composer	>= 2.4.6-p1, < 2.4.6-p5	2.4.6-p5
magento/community-edition	composer	>= 2.4.5-p1, < 2.4.5-p7	2.4.5-p7
magento/community-edition	composer	>= 2.4.4-p1, < 2.4.4-p8	2.4.4-p8
magento/project-community-edition	composer	<= 2.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The provided vulnerability information lacks specific technical details about implementation flaws, commit diffs, or patch comparisons. While the XSS vulnerability clearly stems from improper input sanitization in admin-accessible form fields (CWE-79), Magento's architecture involves multiple layers of abstraction (controllers, view models, templates, UI components) where the vulnerability could manifest. Without concrete evidence from code changes or official patch details, we cannot confidently identify specific functions. The vulnerability likely exists in template rendering logic or form data handling components that omit proper escaping (e.g., missing escapeHtml calls in .phtml templates), but these are educated guesses rather than confirmed targets.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**o** *omm*r** v*rsions *.*.*-p*, *.*.*-p*, *.*.*-p*, *.*.*-**t** *n* **rli*r *r* *****t** *y * stor** *ross-Sit* S*riptin* (XSS) vuln*r**ility t**t *oul* ** **us** *y * *i**-privil**** *tt**k*r to inj**t m*li*ious s*ripts into vuln*r**l* *orm *i*l*s

Reasoning

T** provi*** vuln*r**ility in*orm*tion l**ks sp**i*i* t***ni**l **t*ils **out impl*m*nt*tion *l*ws, *ommit *i**s, or p*t** *omp*risons. W*il* t** XSS vuln*r**ility *l**rly st*ms *rom improp*r input s*nitiz*tion in **min-****ssi*l* *orm *i*l*s (*W*-**

8.1

Basic Information

Concerned about an active attack path?

CVE-2024-20759: Magento Open Source allows Cross-Site Scripting (XSS)

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI