Miggo Logo
Miggo Vulnerability Database
CVE-2020-24405

CVE-2020-24405:
Magento incorrect permissions vulnerability in the Inventory module

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-24405
GHSA ID
GHSA-p7m7-j8jv-393q
EPSS Score
0.32398%
CWE
CWE-285
Published
5/24/2022
Updated
1/11/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer<= 2.3.5-p22.3.6
magento/community-editioncomposer>= 2.4.0, < 2.4.12.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on improper authorization in the Inventory module. Magento typically uses controller ACL checks via _isAllowed() methods and interface-level permissions. For CVE-2020-24405:

  1. The Save controller action (Execute method) is a common attack vector for inventory modifications and would require explicit authorization checks that might have been missing.
  2. StockRepositoryInterface::Save is a core API method for inventory updates; improper exposure via web APIs without role-based restrictions could enable unauthorized access. The medium confidence for the second function stems from less specific evidence in public advisories, but it aligns with the vulnerability pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M***nto v*rsion *.*.* *n* *.*.*p* (*n* **rli*r) *r* *****t** *y *n in*orr**t p*rmissions issu* vuln*r**ility in t** Inv*ntory mo*ul*. T*is vuln*r**ility *oul* ** **us** *y *ut**nti**t** us*rs to mo*i*y inv*ntory sto*k **t* wit*out *ut*oriz*tion.

Reasoning

T** vuln*r**ility **nt*rs on improp*r *ut*oriz*tion in t** Inv*ntory mo*ul*. M***nto typi**lly us*s *ontroll*r **L ****ks vi* _is*llow**() m*t*o*s *n* int*r****-l*v*l p*rmissions. *or *V*-****-*****: *. T** S*v* *ontroll*r **tion (*x**ut* m*t*o*) is