Description
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user's account.
Remediation
References
Related Vulnerabilities
PostgreSQL Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2010-1169)
MediaWiki Improper Authentication Vulnerability (CVE-2021-36128)
ownCloud Improper Input Validation Vulnerability (CVE-2012-2270)
XWiki Improper Handling of Exceptional Conditions Vulnerability (CVE-2023-29520)