Home » Security Bloggers Network » CVE-2020-24407: Magento RFI

CVE-2020-24407: Magento RFI

Virsec Security Research Lab Vulnerability Report

The Virsec Security Research Lab, helmed by Virsec CTO, Satya Gupta, provides timely, relevant analysis about prevalent security vulnerabilities.

1.1        Vulnerability Summary

Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components.

Watch the video to learn more about this and other important vulnerabilities.

1.2        CVSS Score

The CVSS Base Score is 9.1 (Critical)

1.3        Affected Version

1.4        Vulnerability Attribution

This vulnerability is reported by Adobe.

1.5        Risk Impact

Magento is an extremely popular eCommerce platform. Magento is an ecommerce platform built on open source technology which provides online merchants with a flexible shopping cart system, as well as control over the look, content and functionality of their online store. Magento offers powerful marketing, search engine optimization, and catalog-management tools. Public exploit is not available currently.

1.6        Virsec Security Platform (VSP) Support:

The Virsec Security Platform (VSP)-Host has the capability to protect against unsafe file upload capabilities and prevent this attack from being exploited.

1.7        Reference Links:

• https://nvd.nist.gov/vuln/detail/CVE-2020-244407
• https://helpx.adobe.com/security/products/magento/apsb20-59.html

Download the full vulnerability report to learn more about this and other important vulnerabilities.