CVE-2020-24402

Published: Nov 9, 2020Modified: Nov 21, 2024

4.9

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Exploitability: 1.2 / Impact: 3.6

Source: NVD (Secondary)

Description

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorization.

Affected (8)

Products: Magento: Magento

Magento

1 product

Magento

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Magento Magento	Before 2.3.5
Magento Magento	Before 2.3.5
Magento Magento	Version 2.3.5
Magento Magento	Version 2.3.5
Magento Magento	Version 2.3.5 p1
Magento Magento	Version 2.3.5 p1
Magento Magento	Version 2.4.0
Magento Magento	Version 2.4.0

Related CWEs

CWE-276

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

References (2)

https://helpx.adobe.com/security/products/magento/apsb20-59.html

Source: psirt@adobe.com

Vendor Advisory

https://helpx.adobe.com/security/products/magento/apsb20-59.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.