CVE-2020-24404 - OpenCVE

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:N/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Magento	Magento

Configuration 1 [-]

OR	cpe:2.3:a:magento:magento:::::commerce:::*
	cpe:2.3:a:magento:magento:::::open_source:::*
	cpe:2.3:a:magento:magento:2.3.5:-:::commerce:::*
	cpe:2.3:a:magento:magento:2.3.5:-:::open_source:::*
	cpe:2.3:a:magento:magento:2.3.5:p1:::commerce:::*
	cpe:2.3:a:magento:magento:2.3.5:p1:::open_source:::*
	cpe:2.3:a:magento:magento:2.4.0::::commerce:::
	cpe:2.3:a:magento:magento:2.4.0::::open_source:::

References

Link	Resource
https://helpx.adobe.com/security/products/magento/apsb20-59.html	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: adobe

Published: 2020-10-01T00:00:00

Updated: 2020-11-09T00:40:04

Reserved: 2020-08-19T00:00:00

Link: CVE-2020-24404

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-11-09T01:15:12.707

Modified: 2022-10-21T18:58:02.830

Link: CVE-2020-24404

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Magento Commerce", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "2.4.0", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "2.3.5p1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "None", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2020-10-01T00:00:00", "descriptions": [{"lang": "en", "value": "Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "Improper Authorization (CWE-285)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-11-09T00:40:04", "orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://helpx.adobe.com/security/products/magento/apsb20-59.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Incorrect permissions in Integrations component could lead to unauthorized deletion of cmsPages via REST API", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@adobe.com", "DATE_PUBLIC": "2020-10-01T23:00:00.000Z", "ID": "CVE-2020-24404", "STATE": "PUBLIC", "TITLE": "Incorrect permissions in Integrations component could lead to unauthorized deletion of cmsPages via REST API"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Magento Commerce", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.4.0"}, {"version_affected": "<=", "version_value": "2.3.5p1"}, {"version_affected": "<=", "version_value": "None"}, {"version_affected": "<=", "version_value": "None"}]}}]}, "vendor_name": "Adobe"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization."}]}, "impact": {"cvss": {"attackComplexity": "Low", "attackVector": "Network", "availabilityImpact": "None", "baseScore": 2.7, "baseSeverity": "Low", "confidentialityImpact": "None", "integrityImpact": "Low", "privilegesRequired": "High", "scope": "Unchanged", "userInteraction": "None", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Authorization (CWE-285)"}]}]}, "references": {"reference_data": [{"name": "https://helpx.adobe.com/security/products/magento/apsb20-59.html", "refsource": "MISC", "url": "https://helpx.adobe.com/security/products/magento/apsb20-59.html"}]}, "source": {"discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "assignerShortName": "adobe", "cveId": "CVE-2020-24404", "datePublished": "2020-10-01T00:00:00", "dateReserved": "2020-08-19T00:00:00", "dateUpdated": "2020-11-09T00:40:04", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*", "matchCriteriaId": "E0A4B080-331A-45E2-85A7-ED717F6EAA53", "versionEndExcluding": "2.3.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*", "matchCriteriaId": "64E6568D-2E8F-4E7F-9DEE-96B64D8AF769", "versionEndExcluding": "2.3.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.3.5:-:*:*:commerce:*:*:*", "matchCriteriaId": "5C6FC988-E98F-45F1-9FED-426BD70B9EED", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.3.5:-:*:*:open_source:*:*:*", "matchCriteriaId": "8FA0AF98-C822-4419-B4ED-E74AB5A740D1", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.3.5:p1:*:*:commerce:*:*:*", "matchCriteriaId": "781C23A0-98B7-4893-97E4-AADA97AF2DF1", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.3.5:p1:*:*:open_source:*:*:*", "matchCriteriaId": "F43338E3-3C5B-4923-87A1-057AD501BD28", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.0:*:*:*:commerce:*:*:*", "matchCriteriaId": "8B564171-2253-412F-B936-8FEA1074BBBE", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.0:*:*:*:open_source:*:*:*", "matchCriteriaId": "446F9B89-3455-46F4-A7B0-CCA7857E0FC4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization."}, {"lang": "es", "value": "Magento versiones 2.4.0 y 2.3.5p1 (y anteriores) est\u00e1n afectadas por una vulnerabilidad de permisos incorrectos dentro del componente Integrations. Esta vulnerabilidad podr\u00eda ser abusada por usuarios con permisos en el recurso Pages para eliminar p\u00e1ginas cms por medio de la API REST sin autorizaci\u00f3n"}], "id": "CVE-2020-24404", "lastModified": "2022-10-21T18:58:02.830", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "psirt@adobe.com", "type": "Secondary"}]}, "published": "2020-11-09T01:15:12.707", "references": [{"source": "psirt@adobe.com", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/magento/apsb20-59.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-285"}], "source": "psirt@adobe.com", "type": "Secondary"}]}