Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2020-9690

Summary
Assigner-adobe
Assigner Org ID-078d4453-3bcd-4900-85e6-15281da43538
Published At-29 Jul, 2020 | 12:20
Updated At-04 Aug, 2024 | 10:34
Rejected At-
Credits

Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:adobe
Assigner Org ID:078d4453-3bcd-4900-85e6-15281da43538
Published At:29 Jul, 2020 | 12:20
Updated At:04 Aug, 2024 | 10:34
Rejected At:
▼CVE Numbering Authority (CNA)

Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.

Affected Products
Vendor
Adobe Inc.Adobe
Product
Magento
Versions
Affected
  • 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier versions
Problem Types
TypeCWE IDDescription
textN/AObservable Timing Discrepancy
Type: text
CWE ID: N/A
Description: Observable Timing Discrepancy
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://helpx.adobe.com/security/products/magento/apsb20-47.html
x_refsource_CONFIRM
Hyperlink: https://helpx.adobe.com/security/products/magento/apsb20-47.html
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://helpx.adobe.com/security/products/magento/apsb20-47.html
x_refsource_CONFIRM
x_transferred
Hyperlink: https://helpx.adobe.com/security/products/magento/apsb20-47.html
Resource:
x_refsource_CONFIRM
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:psirt@adobe.com
Published At:29 Jul, 2020 | 13:15
Updated At:30 Jul, 2020 | 17:32

Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.2MEDIUM
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N
Primary2.03.5LOW
AV:N/AC:M/Au:S/C:N/I:P/A:N
Type: Primary
Version: 3.1
Base score: 4.2
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N
Type: Primary
Version: 2.0
Base score: 3.5
Base severity: LOW
Vector:
AV:N/AC:M/Au:S/C:N/I:P/A:N
CPE Matches
magento
magento
>>magento>>Versions before 2.3.5(exclusive)
cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*
magento
magento
>>magento>>Versions before 2.3.5(exclusive)
cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*
magento
magento
>>magento>>2.3.5
cpe:2.3:a:magento:magento:2.3.5:-:*:*:commerce:*:*:*
magento
magento
>>magento>>2.3.5
cpe:2.3:a:magento:magento:2.3.5:-:*:*:open_source:*:*:*
magento
magento
>>magento>>2.3.5
cpe:2.3:a:magento:magento:2.3.5:p1:*:*:commerce:*:*:*
magento
magento
>>magento>>2.3.5
cpe:2.3:a:magento:magento:2.3.5:p1:*:*:open_source:*:*:*
Weaknesses
CWE IDTypeSource
CWE-203Primarynvd@nist.gov
CWE ID: CWE-203
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://helpx.adobe.com/security/products/magento/apsb20-47.htmlpsirt@adobe.com
Patch
Vendor Advisory
Hyperlink: https://helpx.adobe.com/security/products/magento/apsb20-47.html
Source: psirt@adobe.com
Resource:
Patch
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

64Records found
CVE-2019-7882
Matching Score-8
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-8
Assigner-Adobe Systems Incorporated
CVSS Score-5.4||MEDIUM
EPSS-0.10% / 28.68%
||
7 Day CHG~0.00%
Published-02 Aug, 2019 | 21:20
Updated-04 Aug, 2024 | 21:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross-site scripting vulnerability exists in the WYSIWYG editor of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the editor can inject malicious SWF files.

Action-Not Available
Vendor-magenton/a
Product-magentoMagento 1 Magento 2
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-7936
Matching Score-8
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-8
Assigner-Adobe Systems Incorporated
CVSS Score-4.8||MEDIUM
EPSS-0.11% / 29.90%
||
7 Day CHG~0.00%
Published-02 Aug, 2019 | 21:32
Updated-04 Aug, 2024 | 21:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify content block titles to inject malicious javascript.

Action-Not Available
Vendor-magenton/a
Product-magentoMagento 2
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-7869
Matching Score-8
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-8
Assigner-Adobe Systems Incorporated
CVSS Score-4.8||MEDIUM
EPSS-0.08% / 24.86%
||
7 Day CHG~0.00%
Published-02 Aug, 2019 | 21:16
Updated-04 Aug, 2024 | 21:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with permissions to manage customer groups.

Action-Not Available
Vendor-magenton/a
Product-magentoMagento 2
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-7875
Matching Score-8
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-8
Assigner-Adobe Systems Incorporated
CVSS Score-4.8||MEDIUM
EPSS-0.11% / 29.90%
||
7 Day CHG~0.00%
Published-02 Aug, 2019 | 21:18
Updated-04 Aug, 2024 | 21:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to newsletter templates.

Action-Not Available
Vendor-magenton/a
Product-magentoMagento 1 Magento 2
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-8115
Matching Score-8
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-8
Assigner-Adobe Systems Incorporated
CVSS Score-4.8||MEDIUM
EPSS-2.14% / 83.50%
||
7 Day CHG~0.00%
Published-05 Nov, 2019 | 22:26
Updated-04 Aug, 2024 | 21:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can inject arbitrary JavaScript code when adding an image for during simple product creation.

Action-Not Available
Vendor-magentoAdobe Inc.
Product-magentoMagento 2
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-43761
Matching Score-8
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-8
Assigner-Adobe Systems Incorporated
CVSS Score-8||HIGH
EPSS-3.25% / 86.62%
||
7 Day CHG~0.00%
Published-13 Jan, 2022 | 20:27
Updated-17 Sep, 2024 | 00:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe Experience Manager Stored XSS on Edit Tag page via Localization input

AEM's Cloud Service offering, as well as versions 6.5.7.0 (and below), 6.4.8.3 (and below) and 6.3.3.8 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_manager_cloud_serviceexperience_managerExperience Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-40711
Matching Score-8
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-8
Assigner-Adobe Systems Incorporated
CVSS Score-5.4||MEDIUM
EPSS-2.15% / 83.55%
||
7 Day CHG~0.00%
Published-27 Sep, 2021 | 15:42
Updated-23 Apr, 2025 | 19:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe Experience Manager Stored Cross-Site Scripting Could Lead to Arbitrary Code Execution

Adobe Experience Manager version 6.5.9.0 (and earlier) is affected by a stored XSS vulnerability when creating Content Fragments. An authenticated attacker can send a malformed POST request to achieve arbitrary code execution. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_managerExperience Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-21023
Matching Score-8
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-8
Assigner-Adobe Systems Incorporated
CVSS Score-4.8||MEDIUM
EPSS-2.82% / 85.60%
||
7 Day CHG~0.00%
Published-11 Feb, 2021 | 19:29
Updated-17 Sep, 2024 | 03:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Magento Commerce Stored Cross Site Scripting Vulnerability Could Lead To Arbitrary Code Execution

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting vulnerability in the admin console. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation.

Action-Not Available
Vendor-magentoAdobe Inc.
Product-magentoMagento Commerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-21029
Matching Score-8
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-8
Assigner-Adobe Systems Incorporated
CVSS Score-4.8||MEDIUM
EPSS-43.50% / 97.42%
||
7 Day CHG~0.00%
Published-11 Feb, 2021 | 19:29
Updated-16 Sep, 2024 | 22:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Magento Commerce Reflected Cross-site Scripting Vulnerability Could Lead To Arbitrary JavaScript Execution

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a Reflected Cross-site Scripting vulnerability via 'file' parameter. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation.

Action-Not Available
Vendor-magentoAdobe Inc.
Product-magentoMagento Commerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-9741
Matching Score-8
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-8
Assigner-Adobe Systems Incorporated
CVSS Score-9||CRITICAL
EPSS-0.66% / 70.12%
||
7 Day CHG~0.00%
Published-10 Sep, 2020 | 16:35
Updated-16 Sep, 2024 | 22:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS in AEM Forms Components

The AEM forms add-on for versions 6.5.5.0 (and below) and 6.4.8.2 (and below) is affected by a stored XSS vulnerability that allows users with 'Author' privileges to store malicious scripts in fields associated with the Forms component. These scripts may be executed in a victim’s browser when they open the page containing the vulnerable field.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_managerExperience Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-9734
Matching Score-8
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-8
Assigner-Adobe Systems Incorporated
CVSS Score-9||CRITICAL
EPSS-0.66% / 70.12%
||
7 Day CHG~0.00%
Published-10 Sep, 2020 | 16:35
Updated-17 Sep, 2024 | 02:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS in AEM Forms component

The AEM Forms add-on for versions 6.5.5.0 (and below) and 6.4.8.1 (and below) is affected by a stored XSS vulnerability that allows users with 'Author' privileges to store malicious scripts in fields associated with the Forms component. These scripts may be executed in a victim’s browser when they open the page containing the vulnerable field.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_managerExperience Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-9644
Matching Score-8
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-8
Assigner-Adobe Systems Incorporated
CVSS Score-5.4||MEDIUM
EPSS-3.70% / 87.48%
||
7 Day CHG~0.00%
Published-12 Jun, 2020 | 13:13
Updated-04 Aug, 2024 | 10:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Adobe Experience Manager versions 6.5 and earlier have a cross-site scripting (stored) vulnerability. Successful exploitation could lead to arbitrary javascript execution in the browser.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_managerAdobe Experience Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-9588
Matching Score-6
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-6
Assigner-Adobe Systems Incorporated
CVSS Score-7.2||HIGH
EPSS-1.19% / 77.92%
||
7 Day CHG+0.31%
Published-26 Jun, 2020 | 20:20
Updated-04 Aug, 2024 | 10:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.

Action-Not Available
Vendor-magentoAdobe Inc.
Product-magentoMagento
CWE ID-CWE-203
Observable Discrepancy
CVE-2020-15151
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8||HIGH
EPSS-0.09% / 26.09%
||
7 Day CHG~0.00%
Published-19 Aug, 2020 | 18:10
Updated-04 Aug, 2024 | 13:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Observable Timing Discrepancy in OpenMage LTS

OpenMage LTS before versions 19.4.6 and 20.0.2 allows attackers to circumvent the `fromkey protection` in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks. This issue is related to Adobe's CVE-2020-9690. It is patched in versions 19.4.6 and 20.0.2.

Action-Not Available
Vendor-magentoopenmageOpenMage
Product-openmage_long_term_supportmagentomagento-lts
CWE ID-CWE-203
Observable Discrepancy
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
  • Previous
  • 1
  • 2
  • Next
Details not found