CVE-2020-24402

CVSS v2.0

6.4

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Magento versions 2.4.0 and 2.3.5p1 (and earlier)

Description The issue is related to an incorrect permissions vulnerability in the Integrations component of Magento. This could allow authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorization. The vulnerability can be exploited by a remote attacker to gain unauthorized access to protected information.

Recommendations For Magento versions 2.4.0 and 2.3.5p1 (and earlier), consider restricting access to the Resource Access API to prevent unauthorized deletion of customer details until a patch is available. As a temporary workaround, consider disabling the REST API endpoint for customer details deletion to minimize the risk of exploitation.

Fix

Improper Authorization

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285CWE-276

Related Identifiers

BDU:2020-05127

BIT-MAGENTO-2020-24402

CVE-2020-24402

GHSA-HVF5-4JR9-FGHH

Affected Products

Magento

CVE-2020-24402

Weakness Enumeration

Related Identifiers

Affected Products

References · 9