CVE-2020-9587

HIGH7.5EPSS 0.55%

Magento authorization bypass vulnerability

Published: 5/24/2022Modified: 2/10/2025

Also known as:GHSA-8wm7-h2qh-ff4cBIT-magento-2020-9587

Description

Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have an authorization bypass vulnerability. Successful exploitation could lead to potentially unauthorized product discounts.

Affected packages (4)

Bitnami/magento>= 2.2.0, < 2.2.12, >= 2.3.0, < 2.3.5
Packagist/magento/community-editionfrom 0, <= 2.2.11
Packagist/magento/corefrom 0, < 1.9.4.5
Packagist/magento/project-community-editionfrom 0, <= 2.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-9587
PATCHhttps://github.com/magento/magento2
WEBhttps://helpx.adobe.com/security/products/magento/apsb20-22.html