Platform
php
Component
magento/community-edition
Fixed in
2.4.5
CVE-2024-20719 is a critical stored Cross-Site Scripting (XSS) vulnerability affecting Magento Community Edition versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6, and earlier. This vulnerability allows an authenticated admin attacker to inject malicious scripts into every admin page. Successful exploitation could lead to unauthorized access and control of the Magento instance, impacting sensitive data and system operations. A fix is available in version 2.4.4.
The impact of CVE-2024-20719 is severe due to the potential for complete admin account takeover. An attacker who can inject and execute JavaScript within the Magento admin panel gains the ability to perform any action as an administrator. This includes creating new users, modifying product data, accessing customer information, and even deploying malicious code to the storefront. The stored nature of the XSS means the injected script persists, potentially affecting all users who access the affected admin pages. This vulnerability shares similarities with other XSS vulnerabilities in web applications where admin panels are targeted for privilege escalation.
CVE-2024-20719 was publicly disclosed on February 15, 2024. The vulnerability's criticality (CVSS 9.1) and the potential for admin takeover suggest a high probability of exploitation. While no public exploits have been confirmed, the ease of exploitation for XSS vulnerabilities often leads to rapid development and dissemination of proof-of-concept code. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Exploit Status
EPSS
1.15% (78% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-20719 is to upgrade Magento Community Edition to version 2.4.4 or later, which contains the fix. If immediate upgrading is not possible, consider implementing temporary workarounds. Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting admin panels can provide an additional layer of defense. Carefully review and restrict access to the Magento admin panel, enforcing strong password policies and multi-factor authentication. Regularly scan the Magento installation for XSS vulnerabilities using automated tools.
Update Adobe Commerce to the latest available version. Refer to the Adobe security bulletin for more information and the fixed versions. Apply the security patches provided by Adobe as soon as possible.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-20719 is a critical stored Cross-Site Scripting (XSS) vulnerability in Magento Community Edition versions 2.4.6-p3 and earlier, allowing attackers to inject malicious scripts into admin pages.
Yes, if you are running Magento Community Edition versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6, or earlier, you are affected by this vulnerability.
Upgrade Magento Community Edition to version 2.4.4 or later to resolve this vulnerability. Implement WAF rules and restrict admin panel access as temporary mitigations.
While no confirmed exploitation has been publicly reported, the vulnerability's criticality and ease of exploitation suggest a high probability of exploitation.
Refer to the official Magento Security Advisories page for details: https://devdocs.magento.com/security/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.