CVE-2020-24407: Magento 2 Community Edition RCE via Unsafe File Upload

May 24, 2022 (updated February 10, 2025)

Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components.

References

github.com/advisories/GHSA-7pxg-6p87-8c9v
github.com/magento/magento2
helpx.adobe.com/security/products/magento/apsb20-59.html
nvd.nist.gov/vuln/detail/CVE-2020-24407

Detect and mitigate CVE-2020-24407 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →