Description

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorization.

Remediation

References

CVE-2020-24402

Related Vulnerabilities

PHP-Fusion Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2008-5335)

WordPress Plugin Smart Scroll Posts for WordPress includes Backdoor [Only if downloaded via the vendor website] (2.0.8)

PostgreSQL Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2019-10208)

Moodle Improper Following of Specification by Caller Vulnerability (CVE-2019-14829)

Zope Web Application Server Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2021-32674)

Severity

Medium

Classification

CVE-2020-24402 CWE-285 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Tags

Missing Update Known Vulnerabilities