Moderate severityNVD Advisory· Published Nov 9, 2020· Updated Sep 16, 2024
Incorrect permissions following the deletion of a user role or deactivation of a user
CVE-2020-24401
Description
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user's account.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | < 2.4.1 | 2.4.1 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
4- osv-coords3 versionspkg:bitnami/magentopkg:composer/magento/community-editionpkg:composer/magento/project-community-edition
< 2.3.5+ 2 more
- (no CPE)range: < 2.3.5
- (no CPE)range: < 2.4.1
- (no CPE)range: <= 2.0.2
- Range: unspecified
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-f2g3-3c6q-4478ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-24401ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb20-59.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.