CVE-2024-20718 — Cross-Site Request Forgery in Adobe Commerce

CWE-352 — Cross-Site Request Forgery4 documents4 sources

Severity

6.5MEDIUMNVD

CNA4.3

EPSS

0.1%

top 69.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Magento Community-edition Adobe Commerce Magento Project-community-edition +1 more

Timeline

PublishedFeb 15

Description

Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to trick a victim into performing actions they did not intend to do, which could be used to bypass security measures and gain unauthorized access. Exploitation of this issue requires user interaction, typically in the form of the victim clicking a link or visiting a maliciou…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5adobe/adobe_commerce2.4.4-p6

▶NVDadobe/commerce2.4.4, 2.4.5, 2.4.6+2

▶Packagistmagento/community-edition2.4.6-p1 — 2.4.6-p4+2

▶Packagistmagento/project-community-edition2.0.2

🔴Vulnerability Details

OSV

Magento Open Source allows Cross-Site Request Forgery (CSRF)↗2024-02-15

▶

CVEList

[Spain] CSRF to delete Requisition Lists at Adobe Commerce↗2024-02-15

▶

GHSA

Magento Open Source allows Cross-Site Request Forgery (CSRF)↗2024-02-15

▶