Miggo Logo

CVE-2020-24403: Magento incorrect user permissions vulnerability within the Inventory component

2.7

CVSS Score
3.1

Basic Information

EPSS Score
0.50442%
Published
5/24/2022
Updated
2/10/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer< 2.3.62.3.6
magento/community-editioncomposer= 2.4.02.4.1
magento/project-community-editioncomposer<= 2.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper authorization in Inventory component API endpoints. Magento's REST API authorization typically uses ACL resources defined in webapi.xml. The described vulnerability suggests either: 1) Inventory source modification endpoints used overly broad ACL resources, or 2) Controller methods failed to implement proper authorization checks. The SourceRepositoryInterface::save method is central to inventory source persistence, and the Save controller handles modification requests. Both would require strict authorization checks that were likely missing or misconfigured, allowing users with basic Inventory permissions to perform unauthorized modifications.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M***nto v*rsion *.*.* *n* *.*.*p* (*n* **rli*r) *r* *****t** *y *n in*orr**t us*r p*rmissions vuln*r**ility wit*in t** Inv*ntory *ompon*nt. T*is vuln*r**ility *oul* ** **us** *y *ut**nti**t** us*rs wit* Inv*ntory *n* Sour** p*rmissions to m*k* un*ut*

Reasoning

T** vuln*r**ility st*ms *rom improp*r *ut*oriz*tion in Inv*ntory *ompon*nt *PI *n*points. M***nto's R*ST *PI *ut*oriz*tion typi**lly us*s **L r*sour**s ***in** in `w***pi.xml`. T** **s*ri*** vuln*r**ility su***sts *it**r: *) Inv*ntory sour** mo*i*i**