Risk | Critical |
Patch available | YES |
Number of vulnerabilities | 23 |
CVE-ID | CVE-2024-39409 CVE-2024-39419 CVE-2024-39418 CVE-2024-39417 CVE-2024-39416 CVE-2024-39415 CVE-2024-39414 CVE-2024-39413 CVE-2024-39412 CVE-2024-39411 CVE-2024-39410 CVE-2024-39408 CVE-2024-39397 CVE-2024-39407 CVE-2024-39405 CVE-2024-39404 CVE-2024-39406 CVE-2024-39403 CVE-2024-39402 CVE-2024-39401 CVE-2024-39400 CVE-2024-39399 CVE-2024-39398 |
CWE-ID | CWE-352 CWE-284 CWE-285 CWE-434 CWE-863 CWE-200 CWE-79 CWE-78 CWE-22 CWE-307 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Adobe Commerce (formerly Magento Commerce) Web applications / E-Commerce systems Magento Open Source Web applications / E-Commerce systems |
Vendor |
Magento, Inc Adobe |
Security Bulletin
This security bulletin contains information about 23 vulnerabilities.
EUVDB-ID: #VU95962
Risk: Medium
CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39409
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.4.4 - 2.4.7-p1
Magento Open Source: 2.4.4 - 2.4.7-p1
CPE2.3http://helpx.adobe.com/security/products/magento/apsb24-61.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95954
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39419
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and gain unauthorized access to the application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.4.4 - 2.4.7-p1
Magento Open Source: 2.4.4 - 2.4.7-p1
CPE2.3http://helpx.adobe.com/security/products/magento/apsb24-61.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95970
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39418
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to improper authorization. A remote user can bypass implemented security restrictions.
Install updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.4.4 - 2.4.7-p1
Magento Open Source: 2.4.4 - 2.4.7-p1
CPE2.3http://helpx.adobe.com/security/products/magento/apsb24-61.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95969
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39417
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to improper authorization. A remote user can bypass implemented security restrictions.
Install updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.4.4 - 2.4.7-p1
Magento Open Source: 2.4.4 - 2.4.7-p1
CPE2.3http://helpx.adobe.com/security/products/magento/apsb24-61.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95968
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39416
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to improper authorization. A remote user can bypass implemented security restrictions.
Install updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.4.4 - 2.4.7-p1
Magento Open Source: 2.4.4 - 2.4.7-p1
CPE2.3http://helpx.adobe.com/security/products/magento/apsb24-61.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95967
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39415
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to improper authorization. A remote user can bypass implemented security restrictions.
Install updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.4.4 - 2.4.7-p1
Magento Open Source: 2.4.4 - 2.4.7-p1
CPE2.3http://helpx.adobe.com/security/products/magento/apsb24-61.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95957
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39414
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and gain access to sensitive information.
Install updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.4.4 - 2.4.7-p1
Magento Open Source: 2.4.4 - 2.4.7-p1
CPE2.3http://helpx.adobe.com/security/products/magento/apsb24-61.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95966
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39413
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to improper authorization. A remote user can bypass implemented security restrictions.
Install updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.4.4 - 2.4.7-p1
Magento Open Source: 2.4.4 - 2.4.7-p1
CPE2.3http://helpx.adobe.com/security/products/magento/apsb24-61.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95965
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39412
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to improper authorization. A remote user can bypass implemented security restrictions.
Install updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.4.4 - 2.4.7-p1
Magento Open Source: 2.4.4 - 2.4.7-p1
CPE2.3http://helpx.adobe.com/security/products/magento/apsb24-61.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95956
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39411
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and gain access to sensitive information.
Install updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.4.4 - 2.4.7-p1
Magento Open Source: 2.4.4 - 2.4.7-p1
CPE2.3http://helpx.adobe.com/security/products/magento/apsb24-61.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95963
Risk: Medium
CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39410
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.4.4 - 2.4.7-p1
Magento Open Source: 2.4.4 - 2.4.7-p1
CPE2.3http://helpx.adobe.com/security/products/magento/apsb24-61.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95961
Risk: Medium
CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39408
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.4.4 - 2.4.7-p1
Magento Open Source: 2.4.4 - 2.4.7-p1
CPE2.3http://helpx.adobe.com/security/products/magento/apsb24-61.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95942
Risk: Critical
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39397
CWE-ID:
CWE-434 - Unrestricted Upload of File with Dangerous Type
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload. A remote non-authenticated attacker can upload a malicious file and execute it on the server.
Successful exploitation of the vulnerability may result in entire system compromise.
Note, the vulnerability affects only installations with Apache HTTP server.
Install updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.4.4 - 2.4.7-p1
Magento Open Source: 2.4.4 - 2.4.7-p1
CPE2.3http://helpx.adobe.com/security/products/magento/apsb24-61.html
http://experienceleague.adobe.com/en/docs/commerce-knowledge-base/kb/troubleshooting/known-issues-patches-attached/security-update-available-for-adobe-commerce-apsb24-61
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95959
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39407
CWE-ID:
CWE-863 - Incorrect Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to incorrect authorization. A remote user can gain unauthorized access to the application.
Install updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.4.4 - 2.4.7-p1
Magento Open Source: 2.4.4 - 2.4.7-p1
CPE2.3http://helpx.adobe.com/security/products/magento/apsb24-61.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95955
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39405
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and gain unauthorized access to the application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.4.4 - 2.4.7-p1
Magento Open Source: 2.4.4 - 2.4.7-p1
CPE2.3http://helpx.adobe.com/security/products/magento/apsb24-61.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95953
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39404
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and gain unauthorized access to the application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.4.4 - 2.4.7-p1
Magento Open Source: 2.4.4 - 2.4.7-p1
CPE2.3http://helpx.adobe.com/security/products/magento/apsb24-61.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95952
Risk: Low
CVSSv3.1: 3.6 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39406
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote privileged user can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.4.4 - 2.4.7-p1
Magento Open Source: 2.4.4 - 2.4.7-p1
CPE2.3http://helpx.adobe.com/security/products/magento/apsb24-61.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95949
Risk: Low
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39403
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Install updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.4.4 - 2.4.7-p1
Magento Open Source: 2.4.4 - 2.4.7-p1
CPE2.3http://helpx.adobe.com/security/products/magento/apsb24-61.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95951
Risk: Medium
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39402
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation. A remote privileged user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Install updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.4.4 - 2.4.7-p1
Magento Open Source: 2.4.4 - 2.4.7-p1
CPE2.3http://helpx.adobe.com/security/products/magento/apsb24-61.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95950
Risk: Medium
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39401
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation. A remote privileged user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Install updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.4.4 - 2.4.7-p1
Magento Open Source: 2.4.4 - 2.4.7-p1
CPE2.3http://helpx.adobe.com/security/products/magento/apsb24-61.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95948
Risk: Low
CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39400
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote privileged user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Install updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.4.4 - 2.4.7-p1
Magento Open Source: 2.4.4 - 2.4.7-p1
CPE2.3http://helpx.adobe.com/security/products/magento/apsb24-61.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95946
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39399
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.4.4 - 2.4.7-p1
Magento Open Source: 2.4.4 - 2.4.7-p1
CPE2.3http://helpx.adobe.com/security/products/magento/apsb24-61.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95943
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39398
CWE-ID:
CWE-307 - Improper Restriction of Excessive Authentication Attempts
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a brute-force attack.
The vulnerability exists due to software does not properly restrict the number of authentication attempts. A remote attacker can perform a brute-force attack and gain unauthorized access to the web application.
Install updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.4.4 - 2.4.7-p1
Magento Open Source: 2.4.4 - 2.4.7-p1
CPE2.3http://helpx.adobe.com/security/products/magento/apsb24-61.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.