CVE-2020-24401
MEDIUM6.5EPSS 0.28%Incorrect permissions following the deletion of a user role or deactivation of a user
發布日:2022/5/24修改日:2025/5/20
描述
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user's account.
受影響套件(3)
- Bitnami/magentofrom 0, < 2.3.5, >= 2.4.0, < 2.4.1
- Packagist/magento/community-editionfrom 0, < 2.4.1
- Packagist/magento/project-community-editionfrom 0, <= 2.0.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N |