CVE-2020-24403Improper Authorization in Magento

CWE-285Improper Authorization4 documents4 sources
Severity
2.7LOWNVD
EPSS
0.2%
top 58.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
MagentoMagento Community-editionAdobe Magento Commerce+1 more
Timeline
PublishedNov 9
Latest updateMay 24

Description

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the REST API.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages4 packages

NVDmagento/magento< 2.3.5+2
Packagistmagento/community-edition2.4.02.4.1+1
CVEListV5adobe/magento_commerceunspecified2.4.0+2

🔴Vulnerability Details

3
OSV
Magento incorrect user permissions vulnerability within the Inventory component2022-05-24
GHSA
Magento incorrect user permissions vulnerability within the Inventory component2022-05-24
CVEList
Incorrect permissions could lead to unauthorized modification of inventory source data via REST API2020-11-09