CVE-2020-24404 — Incorrect permissions in Integrations component could lead to unauthorized delet

Description

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization.

How to fix CVE-2020-24404

To remediate CVE-2020-24404, upgrade the affected package to a fixed version below.

—upgrade to 2.3.5 or later
—upgrade to 2.3.6 or later

Is CVE-2020-24404 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.3.5, >= 2.4.0, < 2.4.1
from 0, < 2.3.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW2.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-24404
PATCHgithub.com/magento/magento2
WEBdevdocs.magento.com/guides/v2.3/release-notes/open-source-2-3-6.html
WEBexperienceleague.adobe.com/docs/commerce-operations/release/notes/magento-open-source/2-4-1.html