CVE-2020-24402

MEDIUM4.9EPSS 0.19%

Incorrect permissions in the Integrations component could lead to unauthorized deletion of customer details via REST API

Published: 5/24/2022Modified: 5/20/2025

Description

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorization.

Affected packages (3)

Bitnami/magentofrom 0, < 2.3.5, >= 2.4.0, < 2.4.1
Packagist/magento/community-editionfrom 0, < 2.3.6
Packagist/magento/project-community-editionfrom 0, <= 2.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-24402
PATCHhttps://github.com/magento/magento2
WEBhttps://helpx.adobe.com/security/products/magento/apsb20-59.html