CVE-2020-9587
Description
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have an authorization bypass vulnerability. Successful exploitation could lead to potentially unauthorized product discounts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Magento authorization bypass vulnerability allows unauthorized product discounts in multiple versions.
Vulnerability
Overview CVE-2020-9587 is an authorization bypass vulnerability in Adobe Magento (formerly Magento Commerce and Magento Open Source) affecting versions 2.3.4 and earlier, 2.2.11 and earlier, 1.14.4.4 and earlier, and 1.9.4.4 and earlier [1]. The root cause is a flaw in the authorization logic that fails to properly enforce access controls, allowing an attacker to perform actions that should require higher privileges.
Exploitation
Scenario Exploitation does not require authentication? The official description does not specify the access level needed, but an attacker could potentially be an unauthenticated user or a low-privileged authenticated user who can bypass normal authorization checks. The attack surface is likely a web request that modifies product pricing or discount rules [1]. No network position or complex prerequisites are detailed in the sources.
Impact
Successful exploitation could lead to unauthorized product discounts, meaning an attacker could alter the final price of items at checkout, resulting in financial loss for the merchant [1]. No evidence of remote code execution or data breach is provided in the available references; the impact is confined to e-commerce transaction manipulation.
Mitigation
Status No patches are explicitly referenced in the provided sources. However, Magento typically issues security updates; users should check Adobe's security advisories for the latest fixes. As of publication (June 2020), affected versions remain vulnerable unless updated [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | <= 2.2.11 | — |
magento/community-editionPackagist | >= 2.3.0, < 2.3.4-p2 | 2.3.4-p2 |
magento/corePackagist | < 1.9.4.5 | 1.9.4.5 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
5- osv-coords4 versionspkg:bitnami/magentopkg:composer/magento/community-editionpkg:composer/magento/corepkg:composer/magento/project-community-edition
>= 2.2.0, < 2.2.12+ 3 more
- (no CPE)range: >= 2.2.0, < 2.2.12
- (no CPE)range: <= 2.2.11
- (no CPE)range: < 1.9.4.5
- (no CPE)range: <= 2.0.2
- Range: 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier versions
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-8wm7-h2qh-ff4cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-9587ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb20-22.htmlghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.