CVE-2020-24405
Incorrect permissions in Inventory module could lead to unauthorized modification of inventory stock data
4.3
MEDIUM
CVSS 3.1
EPSS 0.09%
Description
Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions issue vulnerability in the Inventory module. This vulnerability could be abused by authenticated users to modify inventory stock data without authorization.
How to fix CVE-2020-24405
To remediate CVE-2020-24405, upgrade the affected package to a fixed version below.
- —upgrade to 2.3.5 or later
- —upgrade to 2.3.6 or later
Is CVE-2020-24405 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.3.5, >= 2.4.0, < 2.4.1
- from 0, < 2.3.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |