CVE-2020-24406

Name of the Vulnerable Software and Affected Versions Magento Commerce versions 2.3.4 and earlier Magento Commerce version 2.4.0

Description The issue exists due to insufficient input validation, potentially allowing a remote attacker to access confidential information. In maintenance mode, an information disclosure issue could expose the installation path during build deployments, which might be useful to attackers if they can identify other exploitable vulnerabilities in the environment.

Recommendations For Magento Commerce versions 2.3.4 and earlier, update to a version that includes the necessary security patches to address the insufficient input validation issue. For Magento Commerce version 2.4.0, consider restricting access to the maintenance mode until a patch is available to prevent potential information disclosure. As a temporary workaround, consider disabling the maintenance mode feature until a patch is available to minimize the risk of exploitation.