PT-2020-4582 · Adobe · Magento
Published
2020-10-15
·
Updated
2024-03-06
·
CVE-2020-24404
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:C/A:N |
Name of the Vulnerable Software and Affected Versions
Magento versions 2.4.0 and 2.3.5p1 and earlier
Description
The issue is related to incorrect permissions within the Integrations component, which could be exploited by users with permissions to the Pages resource to delete cms pages via the REST API without authorization. This vulnerability is associated with authentication errors and can be exploited remotely by an attacker with permissions to the Pages resource to delete cms pages through the REST API without authorization.
Recommendations
For Magento version 2.4.0, update to a version that includes the fix for the incorrect permissions vulnerability.
For Magento version 2.3.5p1 and earlier, update to a version that includes the fix for the incorrect permissions vulnerability.
As a temporary workaround, consider restricting access to the REST API for users with permissions to the Pages resource until a patch is available.
Fix
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Magento