Miggo Logo
Miggo Vulnerability Database
CVE-2020-24402

CVE-2020-24402: Magento incorrect permissions vulnerability in the Integrations component

4.9

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-24402
GHSA ID
GHSA-hvf5-4jr9-fghh
EPSS Score
0.41301%
CWE
CWE-276
Published
5/24/2022
Updated
2/10/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer< 2.3.62.3.6
magento/community-editioncomposer= 2.4.02.4.1
magento/project-community-editioncomposer<= 2.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key factors: 1) Incorrect default permissions in integration configuration (CWE-276) allowing broader API access than intended, and 2) Missing authorization checks (CWE-285) in customer deletion workflows. While exact code isn't available, pattern analysis suggests:

  • Integration management controllers likely fail to properly validate caller context when handling API requests
  • CustomerRepositoryInterface implementations may not enforce authorization when invoked via integration tokens. The medium confidence reflects the lack of direct patch/diff evidence, but aligns with Magento's architecture where API endpoints map to controller actions and repository services.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M***nto v*rsion *.*.* *n* *.*.*p* (*n* **rli*r) *r* *****t** *y *n in*orr**t p*rmissions vuln*r**ility in t** Int**r*tions *ompon*nt. T*is vuln*r**ility *oul* ** **us** *y *ut**nti**t** us*rs wit* p*rmissions to t** R*sour** ****ss *PI to **l*t* *ust

Reasoning

T** vuln*r**ility st*ms *rom two k*y ***tors: *) In*orr**t ****ult p*rmissions in int**r*tion *on*i*ur*tion (*W*-***) *llowin* *ro***r *PI ****ss t**n int*n***, *n* *) Missin* *ut*oriz*tion ****ks (*W*-***) in *ustom*r **l*tion work*lows. W*il* *x**t