Magento incorrect user permissions vulnerability within the Inventory component

Magento version 2.4.0 and 2.3.5p1 and earlier are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the...

Magento 2 Community Edition Incorrect Authorization

Magento versions 2.4.0 and 2.3.5p1 and earlier are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user's account...

Magento 2 Community Edition XSS Vulnerability

Magento versions 2.4.0 and 2.3.5p1 and earlier are affected by a persistent XSS vulnerability that allows users to upload malicious JavaScript via the file upload component. This vulnerability could be abused by an unauthenticated attacker to execute XSS attacks against other Magento users. This...

CVE-2020-24401

Magento versions 2.4.0 and 2.3.5p1 and earlier are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user's account...

CVE-2020-24407

CVE-2020-24407 affects Magento Open Source 2.4.x and 2.3.5p1 and earlier, with an unsafe file upload that enables arbitrary code execution when performed by authenticated admins with access to System/Data and Transfer/Import components. The issue is documented across multiple feeds (including OSV...

CVE-2020-24403 Incorrect permissions could lead to unauthorized modification of inventory source data via REST API

Magento version 2.4.0 and 2.3.5p1 and earlier are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the...

CVE-2020-24401

CVE-2020-24401 — Magento : Affected are Magento versions 2.4.0 and 2.3.5p1 (and earlier). Root cause: incorrect authorization that lets a user continue to access resources provisioned under their old role after an administrator removes the role or disables the account. Impact: accounts may retain...

CVE-2020-24408

Magento versions 2.4.0 and 2.3.5p1 and earlier are affected by a persistent XSS vulnerability that allows users to upload malicious JavaScript via the file upload component. This vulnerability could be abused by an unauthenticated attacker to execute XSS attacks against other Magento users. This...

PT-2020-4582 · Adobe · Magento

Name of the Vulnerable Software and Affected Versions: Magento versions 2.4.0 and 2.3.5p1 and earlier Description: The issue is related to incorrect permissions within the Integrations component, which could be exploited by users with permissions to the Pages resource to delete cms pages via the...

PT-2020-4511 · Adobe · Magento

Name of the Vulnerable Software and Affected Versions: Magento versions 2.4.0 and 2.3.5p1 and earlier Description: The issue is related to incorrect authorization, allowing a user to access resources provisioned under their old role even after an administrator removes the role or disables the...