CVE-2025-24411: Magento Improper Access Control vulnerability
8.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.27697%
CWE
Published
2/11/2025
Updated
2/28/2025
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| magento/community-edition | composer | >= 2.4.7-beta1, < 2.4.7-p4 | 2.4.7-p4 |
| magento/community-edition | composer | >= 2.4.6-p1, < 2.4.6-p9 | 2.4.6-p9 |
| magento/community-edition | composer | >= 2.4.5-p1, < 2.4.5-p11 | 2.4.5-p11 |
| magento/community-edition | composer | < 2.4.4-p12 | 2.4.4-p12 |
| magento/community-edition | composer | = 2.4.7 | |
| magento/community-edition | composer | = 2.4.6 | |
| magento/community-edition | composer | = 2.4.5 | |
| magento/community-edition | composer | = 2.4.4 | |
| magento/community-edition | composer | = 2.4.8-beta1 | |
| magento/project-community-edition | composer | <= 2.0.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability centers on Improper Access Control (CWE-284), which typically manifests in Magento via: (1) Admin controllers missing proper _isAllowed() overrides (defaulting to insecure permissions), and (2) Web API routes with insufficient resource restrictions. These patterns align with the described attack vector (low-privileged user bypass) and Magento's architecture. Confidence is medium due to lack of explicit patch details, but these components are historically prone to such vulnerabilities.