CVE-2020-24405

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions issue vulnerability in the Inventory module. This vulnerability could be abused by authenticated users to modify inventory stock data without authorization.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://helpx.adobe.com/security/products/magento/apsb20-59.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:magento:magento:::::commerce:::*
	cpe:2.3:a:magento:magento:::::open_source:::*
	cpe:2.3:a:magento:magento:2.3.5:-:::commerce:::*
	cpe:2.3:a:magento:magento:2.3.5:-:::open_source:::*
	cpe:2.3:a:magento:magento:2.3.5:p1:::commerce:::*
	cpe:2.3:a:magento:magento:2.3.5:p1:::open_source:::*
	cpe:2.3:a:magento:magento:2.4.0::::commerce:::
	cpe:2.3:a:magento:magento:2.4.0::::open_source:::

History

21 Oct 2022, 18:57

Type	Values Removed	Values Added
CWE	~~CWE-285~~	NVD-CWE-Other

Information

Published : 2020-11-09 01:15

Updated : 2023-12-10 13:41

NVD link : CVE-2020-24405

Mitre link : CVE-2020-24405

CVE.ORG link : CVE-2020-24405

JSON object : View

Products Affected

magento

magento

CWE

NVD-CWE-Other CWE-285

Improper Authorization

{"id": "CVE-2020-24405", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "psirt@adobe.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2020-11-09T01:15:12.803", "references": [{"url": "https://helpx.adobe.com/security/products/magento/apsb20-59.html", "tags": ["Vendor Advisory"], "source": "psirt@adobe.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "psirt@adobe.com", "description": [{"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions issue vulnerability in the Inventory module. This vulnerability could be abused by authenticated users to modify inventory stock data without authorization."}, {"lang": "es", "value": "Magento versiones 2.4.0 y 2.3.5p1 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de problema de permisos incorrectos en el m\u00f3dulo Inventory. Esta vulnerabilidad podr\u00eda ser abusada por parte de unos usuarios autentificados para modificar los datos de las existencias de los inventarios sin autorizaci\u00f3n"}], "lastModified": "2022-10-21T18:57:24.397", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*", "vulnerable": true, "matchCriteriaId": "E0A4B080-331A-45E2-85A7-ED717F6EAA53", "versionEndExcluding": "2.3.5"}, {"criteria": "cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*", "vulnerable": true, "matchCriteriaId": "64E6568D-2E8F-4E7F-9DEE-96B64D8AF769", "versionEndExcluding": "2.3.5"}, {"criteria": "cpe:2.3:a:magento:magento:2.3.5:-:*:*:commerce:*:*:*", "vulnerable": true, "matchCriteriaId": "5C6FC988-E98F-45F1-9FED-426BD70B9EED"}, {"criteria": "cpe:2.3:a:magento:magento:2.3.5:-:*:*:open_source:*:*:*", "vulnerable": true, "matchCriteriaId": "8FA0AF98-C822-4419-B4ED-E74AB5A740D1"}, {"criteria": "cpe:2.3:a:magento:magento:2.3.5:p1:*:*:commerce:*:*:*", "vulnerable": true, "matchCriteriaId": "781C23A0-98B7-4893-97E4-AADA97AF2DF1"}, {"criteria": "cpe:2.3:a:magento:magento:2.3.5:p1:*:*:open_source:*:*:*", "vulnerable": true, "matchCriteriaId": "F43338E3-3C5B-4923-87A1-057AD501BD28"}, {"criteria": "cpe:2.3:a:magento:magento:2.4.0:*:*:*:commerce:*:*:*", "vulnerable": true, "matchCriteriaId": "8B564171-2253-412F-B936-8FEA1074BBBE"}, {"criteria": "cpe:2.3:a:magento:magento:2.4.0:*:*:*:open_source:*:*:*", "vulnerable": true, "matchCriteriaId": "446F9B89-3455-46F4-A7B0-CCA7857E0FC4"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@adobe.com"}