CVE-2020-24403: Magento incorrect user permissions vulnerability within the Inventory component
2.7
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.50442%
CWE
Published
5/24/2022
Updated
2/10/2025
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
magento/community-edition | composer | < 2.3.6 | 2.3.6 |
magento/community-edition | composer | = 2.4.0 | 2.4.1 |
magento/project-community-edition | composer | <= 2.0.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper authorization in Inventory component API endpoints. Magento's REST API authorization typically uses ACL resources defined in webapi.xml
. The described vulnerability suggests either: 1) Inventory source modification endpoints used overly broad ACL resources, or 2) Controller methods failed to implement proper authorization checks. The SourceRepositoryInterface::save
method is central to inventory source persistence, and the Save
controller handles modification requests. Both would require strict authorization checks that were likely missing or misconfigured, allowing users with basic Inventory permissions to perform unauthorized modifications.