Skip to main content

Magento CVE-2020-9577

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2020-06-26 psirt@adobe.com
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jun 26, 2020 - 21:15 nvd
MEDIUM 6.1

DescriptionNVD

Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure .

AnalysisAI

Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure . Affected products include: Magento.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2016-4010 CRITICAL POC
9.8 Jan 23

Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary

CVE-2015-1397 MEDIUM POC
6.5 Apr 29

SQL injection vulnerability in the getCsvFile function in the Mage_Adminhtml_Block_Widget_Grid class in Magento Communit

CVE-2024-34102 CRITICAL POC
9.8 Jun 13

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML E

CVE-2015-1398 MEDIUM POC
6.5 Apr 29

Multiple directory traversal vulnerabilities in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.

CVE-2019-7139 CRITICAL POC
9.8 Apr 10

An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which ca

CVE-2020-8818 HIGH POC
8.1 Feb 25

An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Rated high severity (CVSS 8.1), th

CVE-2023-41879 HIGH POC
7.5 Sep 11

Magento LTS is the official OpenMage LTS codebase. Rated high severity (CVSS 7.5), this vulnerability is remotely exploi

CVE-2015-1399 MEDIUM POC
6.5 Apr 29

PHP remote file inclusion vulnerability in the fetchView function in the Mage_Core_Block_Template_Zend class in Magento

CVE-2015-3458 MEDIUM POC
6.5 Apr 29

The fetchView function in the Mage_Core_Block_Template_Zend class in Magento Community Edition (CE) 1.9.1.0 and Enterpri

CVE-2014-9758 MEDIUM POC
6.1 Sep 20

Cross-site scripting (XSS) vulnerability in Magento E-Commerce Platform 1.9.0.1. Rated medium severity (CVSS 6.1), this

CVE-2015-8707 CRITICAL
9.8 Sep 26

Password reset tokens in Magento CE before 1.9.2.2, and Magento EE before 1.14.2.2 are passed via a GET request and not

CVE-2024-45115 CRITICAL
9.8 Oct 10

Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authentication v

Share

CVE-2020-9577 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy