CVE-2020-24401 MEDIUM

CVE-2020-24401: Incorrect permissions following the deletion of a user role or deactivation of a user

Vendor Adobe

Product Magento Commerce

Weakness CWE-863 · Incorrect authorization

Published November 9, 2020

Last update September 16, 2024

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user's account.

Key dates

02Disclosure timeline

November 9, 2020 CVE published

September 16, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-24401

Related vulnerabilities

Identifiers

CVE CVE-2020-24401

CWE CWE-863

CVSS 6.5 / MEDIUM

Affected versions

Vendor Adobe

Product Magento Commerce

Affected ≥ unspecified and ≤ 2.4.0

Vendor Adobe

Product Magento Commerce

Affected ≥ unspecified and ≤ 2.3.5p1

Vendor Adobe

Product Magento Commerce

Affected ≥ unspecified and ≤ None

CVE-2020-24401: Incorrect permissions following the deletion of a user role or deactivation of a user

01Description

02Disclosure timeline

03References

04Related CVE