CVE-2020-24401 — Incorrect Authorization in Magento

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 48.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Magento Magento Community-edition Adobe Magento Commerce +1 more

Timeline

PublishedNov 9

Latest updateMay 24

Description

Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user's account.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NExploitability: 1.2 | Impact: 5.2

Affected Packages4 packages

▶NVDmagento/magento< 2.3.5+2

▶Packagistmagento/community-edition< 2.4.1

▶CVEListV5adobe/magento_commerceunspecified — 2.4.0+2

▶Packagistmagento/project-community-edition2.0.2

🔴Vulnerability Details

OSV

Magento 2 Community Edition Incorrect Authorization↗2022-05-24

▶

GHSA

Magento 2 Community Edition Incorrect Authorization↗2022-05-24

▶

CVEList

Incorrect permissions following the deletion of a user role or deactivation of a user↗2020-11-09

▶