CVE-2020-24408

Name of the Vulnerable Software and Affected Versions Magento versions 2.4.0 and 2.3.5p1 (and earlier)

Description The issue is related to a persistent XSS vulnerability in the file upload component, allowing users to upload malicious JavaScript. This could be exploited by an unauthenticated attacker to execute XSS attacks against other Magento users, requiring a victim to browse to the uploaded file. The vulnerability exists due to insufficient cleaning of user-provided data, which may allow a remote attacker to execute malicious JavaScript code using specially crafted HTTP requests.

Recommendations For Magento versions 2.4.0 and 2.3.5p1 (and earlier), consider disabling the file upload component until a patch is available to prevent the upload of malicious JavaScript files. Restrict access to uploaded files to minimize the risk of exploitation. Avoid using the file upload feature in the affected versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.