Vulnerabilities (CVE)

Filtered by vendor Magento Subscribe
Filtered by product Magento
Total 222 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-24400 1 Magento 1 Magento 2024-02-28 5.5 MEDIUM 7.1 HIGH
Magento versions 2.4.0 and 2.3.5 (and earlier) are affected by an SQL Injection vulnerability that could lead to sensitive information disclosure. This vulnerability could be exploited by an authenticated user with permissions to the product listing page to read data from the database.
CVE-2020-24403 1 Magento 1 Magento 2024-02-28 4.0 MEDIUM 2.7 LOW
Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the REST API.
CVE-2021-21019 1 Magento 1 Magento 2024-02-28 6.5 MEDIUM 9.1 CRITICAL
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the Widgets module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.
CVE-2020-24407 1 Magento 1 Magento 2024-02-28 9.0 HIGH 9.1 CRITICAL
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components.
CVE-2020-9630 1 Magento 1 Magento 2024-02-28 7.5 HIGH 9.8 CRITICAL
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a business logic error vulnerability. Successful exploitation could lead to privilege escalation.
CVE-2020-9578 1 Magento 1 Magento 2024-02-28 7.5 HIGH 9.8 CRITICAL
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2020-15151 2 Magento, Openmage 2 Magento, Openmage Long Term Support 2024-02-28 4.0 MEDIUM 8.0 HIGH
OpenMage LTS before versions 19.4.6 and 20.0.2 allows attackers to circumvent the `fromkey protection` in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks. This issue is related to Adobe's CVE-2020-9690. It is patched in versions 19.4.6 and 20.0.2.
CVE-2020-9585 1 Magento 1 Magento 2024-02-28 7.5 HIGH 9.8 CRITICAL
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a defense-in-depth security mitigation vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2020-9587 1 Magento 1 Magento 2024-02-28 5.0 MEDIUM 7.5 HIGH
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have an authorization bypass vulnerability. Successful exploitation could lead to potentially unauthorized product discounts.
CVE-2020-9689 1 Magento 1 Magento 2024-02-28 8.5 HIGH 6.5 MEDIUM
Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a path traversal vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2020-9631 1 Magento 1 Magento 2024-02-28 10.0 HIGH 9.8 CRITICAL
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2020-9588 1 Magento 1 Magento 2024-02-28 6.5 MEDIUM 7.2 HIGH
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.
CVE-2020-9665 1 Magento 1 Magento 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
Magento versions 1.14.4.5 and earlier, and 1.9.4.5 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2020-9576 1 Magento 1 Magento 2024-02-28 7.5 HIGH 9.8 CRITICAL
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2020-9581 1 Magento 1 Magento 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2020-9692 1 Magento 1 Magento 2024-02-28 8.5 HIGH 6.5 MEDIUM
Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2020-9690 1 Magento 1 Magento 2024-02-28 3.5 LOW 4.2 MEDIUM
Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.
CVE-2020-9584 1 Magento 1 Magento 2024-02-28 3.5 LOW 5.4 MEDIUM
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2020-9591 1 Magento 1 Magento 2024-02-28 5.0 MEDIUM 7.5 HIGH
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a defense-in-depth security mitigation vulnerability. Successful exploitation could lead to unauthorized access to admin panel.
CVE-2020-9664 1 Magento 1 Magento 2024-02-28 7.5 HIGH 9.8 CRITICAL
Magento versions 1.14.4.5 and earlier, and 1.9.4.5 and earlier have a php object injection vulnerability. Successful exploitation could lead to arbitrary code execution.