Description

Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have an authorization bypass vulnerability. Successful exploitation could lead to potentially unauthorized product discounts.

Remediation

References

CVE-2020-9587

Related Vulnerabilities

Drupal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-11023)

WordPress Plugin NextGEN Gallery-WordPress Gallery Directory Traversal (2.0.0)

WordPress Plugin AnyMind Widget Cross-Site Request Forgery (1.1)

PHP Address Book Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2013-0135)

WordPress Plugin Image Photo Gallery Final Tiles Grid Cross-Site Scripting (3.4.18)

Severity

High

Classification

CVE-2020-9587 CWE-863 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Missing Update Known Vulnerabilities