CVE-2020-24403

Name of the Vulnerable Software and Affected Versions Magento versions 2.4.0 and 2.3.5p1 (and earlier)

Description The issue is related to incorrect user permissions within the Inventory component, allowing authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the REST API. This vulnerability is associated with authorization errors, potentially impacting the confidentiality and integrity of protected information over the HTTP protocol.

Recommendations For Magento versions 2.4.0 and 2.3.5p1 (and earlier), consider restricting access to the Inventory component and its associated REST API endpoints to minimize the risk of exploitation. As a temporary workaround, limit the permissions of authenticated users to prevent unauthorized changes to inventory source data. At the moment, there is no information about a newer version that contains a fix for this vulnerability.