CVE-2024-20720 CRITICAL

CVE-2024-20720: Command injection in data collector backup due to insufficient patching of CVE-2023-38208

Vendor Adobe

Product Adobe Commerce

Weakness CWE-78

Published February 15, 2024

Last update December 16, 2025

View on NVD All CVEs

CVSS base score

9.1/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction.

Key dates

02Disclosure timeline

February 15, 2024 CVE published

December 16, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-20720

Related vulnerabilities

CVE-2024-20720: Command injection in data collector backup due to insufficient patching of CVE-2023-38208

01Description

02Disclosure timeline

03References

04Related CVE