CVE-2020-24403: Magento incorrect user permissions vulnerability within the Inventory component

May 24, 2022 (updated February 10, 2025)

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the REST API.

References

github.com/advisories/GHSA-39rw-4m66-82gf
github.com/magento/magento2
helpx.adobe.com/security/products/magento/apsb20-59.html
nvd.nist.gov/vuln/detail/CVE-2020-24403

Detect and mitigate CVE-2020-24403 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →