CVE-2020-24404Improper Authorization in Magento

CWE-285Improper Authorization4 documents4 sources
Severity
2.7LOWNVD
EPSS
0.3%
top 49.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
MagentoMagento Community-editionAdobe Magento Commerce
Timeline
PublishedNov 9
Latest updateMay 24

Description

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages3 packages

NVDmagento/magento< 2.3.5+2
Packagistmagento/community-edition2.4.02.4.1+1
CVEListV5adobe/magento_commerceunspecified2.4.0+2

🔴Vulnerability Details

3
GHSA
Magento 2 Community Edition vulnerable to Improper Authorization2022-05-24
OSV
Magento 2 Community Edition vulnerable to Improper Authorization2022-05-24
CVEList
Incorrect permissions in Integrations component could lead to unauthorized deletion of cmsPages via REST API2020-11-09
CVE-2020-24404 — Improper Authorization in Magento | cvebase