{"id":"CVE-2024-20719","summary":"[Adobe Commerce] Stored XSS from low privileged admin user on every admin page, bypassing CVE-2023-29297","details":"Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin attacker to inject malicious scripts into every admin page. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field, that could be leveraged to gain admin access. ","aliases":["GHSA-264g-f7v8-q5qq"],"modified":"2026-07-08T06:41:36.727215213Z","published":"2024-02-15T13:39:38.538Z","database_specific":{"cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/20xxx/CVE-2024-20719.json","cna_assigner":"adobe","unresolved_ranges":[{"extracted_events":[{"last_affected":"2.4.4-p6"}],"source":"AFFECTED_FIELD"}]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/20xxx/CVE-2024-20719.json"},{"type":"ADVISORY","url":"https://helpx.adobe.com/security/products/magento/apsb24-03.html"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-20719"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/magento/magento2","events":[{"introduced":"0f9a056c8d83c4f319626b3e56ec52a533999f25"},{"last_affected":"6cc0d28cf66074adebc261e981eb35811601f813"}],"database_specific":{"extracted_events":[{"introduced":"2.4.4-NA"},{"last_affected":"2.4.4-NA"},{"introduced":"2.4.4-p1"},{"last_affected":"2.4.4-p1"},{"introduced":"2.4.4-p2"},{"last_affected":"2.4.4-p2"},{"introduced":"2.4.4-p3"},{"last_affected":"2.4.4-p3"},{"introduced":"2.4.4-p4"},{"last_affected":"2.4.4-p4"},{"introduced":"2.4.4-p5"},{"last_affected":"2.4.4-p5"},{"introduced":"2.4.4-p6"},{"last_affected":"2.4.4-p6"},{"introduced":"2.4.5-NA"},{"last_affected":"2.4.5-NA"},{"introduced":"2.4.5-p1"},{"last_affected":"2.4.5-p1"},{"introduced":"2.4.5-p2"},{"last_affected":"2.4.5-p2"},{"introduced":"2.4.5-p3"},{"last_affected":"2.4.5-p3"},{"introduced":"2.4.5-p4"},{"last_affected":"2.4.5-p4"},{"introduced":"2.4.5-p5"},{"last_affected":"2.4.5-p5"},{"introduced":"2.4.6-NA"},{"last_affected":"2.4.6-NA"},{"introduced":"2.4.6-p1"},{"last_affected":"2.4.6-p1"},{"introduced":"2.4.6-p2"},{"last_affected":"2.4.6-p2"},{"introduced":"2.4.6-p3"},{"last_affected":"2.4.6-p3"}],"cpe":["cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.4:p2:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.4:p3:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.4:p4:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.4:p5:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.4:p6:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.5:-:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.5:p1:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.5:p2:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.5:p3:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.5:p4:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.5:p5:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.6:-:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.6:p1:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.6:p2:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.6:p3:*:*:*:*:*:*"],"source":"CPE_STRING"}}],"versions":["2.4.4-NA","2.4.4-p1","2.4.4-p2","2.4.4-p3","2.4.4-p4","2.4.4-p5","2.4.4-p6","2.4.5-NA","2.4.5-p1","2.4.5-p2","2.4.5-p3","2.4.5-p4","2.4.5-p5","2.4.6-NA","2.4.6-p1","2.4.6-p2","2.4.6-p3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-20719.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}]}