Attacker Value
Very High
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
3

CVE-2020-9691

Disclosure Date: July 29, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a dom-based cross-site scripting vulnerability. Successful exploitation could lead to arbitrary code execution.

Add Assessment

4
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Low
Technical Analysis

Not enough data ATM to accurately talk risk, but there’s some concerning factors. Taking an educated guess an value & exploitability.

dom-based cross-site scripting

CVSS PR:N – No authentication required

Magento v1 just hit EOL and this patch is only v2. It’s not going to be a simple patch operation for many as they navigate dependencies from the v1 to v2 jump.

Magento put the mage in magecart – it’s a popular target

General Information

Vendors

  • Adobe

Products

  • Magento

Additional Info

Technical Analysis