CVE-2020-24405 — Improper Authorization in Magento

CWE-285 — Improper Authorization4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 75.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Magento Magento Community-edition Adobe Magento Commerce

Timeline

PublishedNov 9

Latest updateMay 24

Description

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions issue vulnerability in the Inventory module. This vulnerability could be abused by authenticated users to modify inventory stock data without authorization.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶NVDmagento/magento< 2.3.5+2

▶Packagistmagento/community-edition2.4.0 — 2.4.1+1

▶CVEListV5adobe/magento_commerceunspecified — 2.4.0+2

🔴Vulnerability Details

GHSA

Magento incorrect permissions vulnerability in the Inventory module↗2022-05-24

▶

OSV

Magento incorrect permissions vulnerability in the Inventory module↗2022-05-24

▶

CVEList

Incorrect permissions in Inventory module could lead to unauthorized modification of inventory stock data↗2020-11-09

▶