CVE-2024-39323 — Incorrect Authorization in Ai-admin-graphql

CWE-863 — Incorrect Authorization CWE-1220 — Insufficient Granularity of Access Control3 documents3 sources

Severity

7.1HIGHNVD

EPSS

0.1%

top 71.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Aimeos Ai-admin-graphql

Timeline

PublishedJul 2

Description

aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end. Versions 2022.10.10, 2023.10.6, and 2024.04.6 fix this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:LExploitability: 2.8 | Impact: 4.2

Affected Packages2 packages

▶Packagistaimeos/ai-admin-graphql2022.04.1 — 2022.10.10+2

▶CVEListV5aimeos/ai-admin-graphql>= 2022.04.1, < 2022.10.10, >= 2023.04.1, < 2023.10.6, >= 2024.04.1, < 2024.04.6+2

🔴Vulnerability Details

GHSA

aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account↗2024-07-02

▶

OSV

aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account↗2024-07-02

▶