CVE-2024-20719

Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin attacker to inject malicious scripts into every admin page. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field, that could be leveraged to gain admin access.

Published: Feb 15, 2024
Updated: Feb 17, 2024
CVE: CVE-2024-20719
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.1
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
adobe / commerce	2.4.4	2.4.4.x
adobe / commerce	2.4.5	2.4.5.x
adobe / commerce	2.4.4-p1	2.4.4-p1.x
adobe / commerce	2.4.5-p1	2.4.5-p1.x
adobe / commerce	2.4.4-p2	2.4.4-p2.x
adobe / commerce	2.4.5-p2	2.4.5-p2.x
adobe / commerce	2.4.4-p3	2.4.4-p3.x
adobe / commerce	2.4.6	2.4.6.x
adobe / commerce	2.4.4-p4	2.4.4-p4.x
adobe / commerce	2.4.5-p3	2.4.5-p3.x
adobe / commerce	2.4.6-p1	2.4.6-p1.x
adobe / commerce	2.4.5-p4	2.4.5-p4.x
adobe / commerce	2.4.4-p5	2.4.4-p5.x
adobe / commerce	2.4.5-p5	2.4.5-p5.x
adobe / commerce	2.4.6-p2	2.4.6-p2.x
adobe / commerce	2.4.6-p3	2.4.6-p3.x
adobe / commerce	2.4.4-p6	2.4.4-p6.x

https://helpx.adobe.com/security/products/magento/apsb24-03.html

Vulnerability Database

289,784

CVE-2024-20719