CVE-2020-24404 LOW

CVE-2020-24404: Incorrect permissions in Integrations component could lead to unauthorized deletion of cmsPages via REST API

Vendor Adobe
Product Magento Commerce
Weakness CWE-285
Published November 9, 2020
Last update September 16, 2024
View on NVD All CVEs

CVSS base score

2.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization.

Key dates

02Disclosure timeline

November 9, 2020 CVE published
September 16, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-2019 SourceCodester Prison Management System New User Creation improper authorization CVE-2026-42202 nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields CVE-2026-33162 Craft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissions CVE-2021-42000 Ping Identity PingFederate Password Reset and Password Change Mishandling with an authentication policy in parallel reset flows CVE-2016-7035