CVE-2020-3715
Description
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Magento 2.3.3, 2.2.10, 1.14.4.3, 1.9.4.3 and earlier contain a stored XSS vulnerability that can lead to sensitive information disclosure.
Vulnerability
Overview
CVE-2020-3715 is a stored cross-site scripting (XSS) vulnerability affecting Magento Commerce (Adobe Commerce) and Magento Open Source versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier [1]. The underlying issue allows an attacker to inject malicious scripts that are persistently stored on the server, without requiring authentication or user interaction during the initial injection.
Attack
Vector and Exploitation
An attacker can exploit this stored XSS by submitting crafted input (e.g., via a product review, customer account field, or other user-controllable data) that is not properly sanitized or encoded by the application. Because the script is stored, any user—including administrators—who views the affected page will have the malicious script executed in their browser. The attack requires no special privileges to inject the payload, as it can be delivered through publicly accessible forms or fields. Once the malicious script is stored, it will execute every time the vulnerable page is rendered, affecting all subsequent visitors [1].
Impact
Successful exploitation could lead to disclosure of sensitive information, such as session tokens, cookies, or other data accessible within the user's browser context. In the case of an administrator, the attacker might leverage the XSS to perform privileged actions or exfiltrate administrative credentials. The severity of this vulnerability is rated with a CVSS base score of 6.1 (Medium), indicating a moderate risk to confidentiality and integrity if exploited against authenticated users [1].
Mitigation
Adobe has addressed this vulnerability in security updates for Magento. Merchants should upgrade to Magento 2.3.4 or later, 2.2.11 or later, or for the 1.x branch, apply the latest patches available through the Magento Security Center. No workaround exists beyond upgrading to a fixed version. The vulnerability does not appear on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the latest update, but prompt patching is recommended due to the low complexity of exploitation [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.3.0, < 2.3.4 | 2.3.4 |
magento/community-editionPackagist | < 2.2.11 | 2.2.11 |
magento/corePackagist | < 1.9.4.4 | 1.9.4.4 |
Affected products
4- osv-coords3 versions
>= 2.2.0, < 2.2.11+ 2 more
- (no CPE)range: >= 2.2.0, < 2.2.11
- (no CPE)range: >= 2.3.0, < 2.3.4
- (no CPE)range: < 1.9.4.4
- Range: 2.3.3 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-mgg3-v948-2vgrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-3715ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb20-02.htmlghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.