CVE-2024-39398Improper Restriction of Excessive Authentication Attempts in Adobe Commerce

CWE-307Improper Restriction of Excessive Authentication Attempts4 documents4 sources
Severity
7.4HIGHNVD
EPSS
0.2%
top 63.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Magento Community-editionAdobe CommerceAdobe Commerce+2 more
Timeline
PublishedAug 14

Description

Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Restriction of Excessive Authentication Attempts vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability to perform brute force attacks and potentially gain unauthorized access to accounts. Exploitation of this issue does not require user interaction, but attack complexity is high.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages5 packages

NVDadobe/commerce2.4.3+4
CVEListV5adobe/adobe_commerce2.4.4-p9
NVDadobe/magento2.4.3+4
Packagistmagento/community-edition2.4.7-beta12.4.7-p2+3

🔴Vulnerability Details

3
OSV
Magento does not properly restrict excessive authentication attempts2024-08-14
CVEList
OTP 2FA can be bruteforced2024-08-14
GHSA
Magento does not properly restrict excessive authentication attempts2024-08-14
CVE-2024-39398 — Adobe Commerce vulnerability | cvebase