CVE-2020-24401

Name of the Vulnerable Software and Affected Versions Magento versions 2.4.0 and 2.3.5p1 (and earlier)

Description The issue is related to incorrect authorization, allowing a user to access resources provisioned under their old role even after an administrator removes the role or disables the user's account. This can enable a remote attacker to gain unauthorized access to protected information.

Recommendations For Magento versions 2.4.0 and 2.3.5p1 (and earlier), consider temporarily restricting access to sensitive resources until a patch is available. As a temporary workaround, consider disabling the role provisioning feature until a fix is released. At the moment, there is no information about a newer version that contains a fix for this vulnerability.