CVE-2020-24402Incorrect Default Permissions in Magento

CWE-276Incorrect Default PermissionsCWE-285Improper Authorization4 documents4 sources
Severity
4.9MEDIUMNVD
EPSS
0.2%
top 58.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
MagentoMagento Community-editionAdobe Magento Commerce+1 more
Timeline
PublishedNov 9
Latest updateMay 24

Description

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorization.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages4 packages

NVDmagento/magento< 2.3.5+2
Packagistmagento/community-edition2.4.02.4.1+1
CVEListV5adobe/magento_commerceunspecified2.4.0+2

🔴Vulnerability Details

3
GHSA
Magento incorrect permissions vulnerability in the Integrations component2022-05-24
OSV
Magento incorrect permissions vulnerability in the Integrations component2022-05-24
CVEList
Incorrect permissions in the Integrations component could lead to unauthorized deletion of customer details via REST API2020-11-09
CVE-2020-24402 — Incorrect Default Permissions | cvebase