CVE-2020-9584
Description
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Magento suffers from a stored cross-site scripting (XSS) vulnerability in multiple versions that could lead to sensitive information disclosure.
Magento versions 2.3.4 and earlier, 2.2.11 and earlier, 1.14.4.4 and earlier, and 1.9.4.4 and earlier contain a stored cross-site scripting (XSS) vulnerability [1]. This type of vulnerability occurs when user-supplied input is not properly sanitized before being stored and later served to other users, allowing an attacker to inject malicious scripts into the application [1].
To exploit this, an attacker would typically need to have access to the Magento admin panel or a privileged user role that can create or edit content (such as product descriptions, blocks, or pages) where the stored input is rendered [1]. The attack does not require authentication from the victim, as the malicious script executes when any user views the compromised page [1].
The impact of successful exploitation is sensitive information disclosure, which could include session tokens, admin credentials, or other confidential data accessible in the victim's browser context [1]. This can lead to further compromise of the Magento instance and associated customer data.
Adobe has released security patches to address this vulnerability in later versions of Magento [2]. Users on affected versions should upgrade to Magento 2.3.5 or later, 2.2.12 or later, or the latest versions of Magento 1 (though Magento 1 reached end-of-life) to eliminate the risk [1].
- NVD - CVE-2020-9584
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.3.0, < 2.3.4-p2 | 2.3.4-p2 |
magento/community-editionPackagist | < 2.2.12 | 2.2.12 |
magento/corePackagist | < 1.9.4.5 | 1.9.4.5 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
5- osv-coords4 versionspkg:bitnami/magentopkg:composer/magento/community-editionpkg:composer/magento/corepkg:composer/magento/project-community-edition
>= 2.2.0, < 2.2.12+ 3 more
- (no CPE)range: >= 2.2.0, < 2.2.12
- (no CPE)range: >= 2.3.0, < 2.3.4-p2
- (no CPE)range: < 1.9.4.5
- (no CPE)range: <= 2.0.2
- Range: 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier versions
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-45h4-6gcj-6hwvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-9584ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb20-22.htmlghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.