Description

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization.

Remediation

References

CVE-2020-24404

Related Vulnerabilities

Oracle Database Server CVE-2010-2407 Vulnerability (CVE-2010-2407)

Grafana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-41174)

Oracle HTTP Server CVE-2006-0435 Vulnerability (CVE-2006-0435)

PleskWin Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-4878)

MySQL CVE-2017-10311 Vulnerability (CVE-2017-10311)

Severity

Low

Classification

CVE-2020-24404 CWE-285 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities