CVE-2024-39401 — OS Command Injection in Adobe Commerce

CWE-78 — OS Command Injection4 documents4 sources

Severity

8.4HIGHNVD

EPSS

1.8%

top 17.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Magento Community-edition Adobe Commerce Adobe Commerce +2 more

Timeline

PublishedAug 14

Description

Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an admin attacker. Exploitation of this issue requires user interaction and scope is changed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:HExploitability: 1.7 | Impact: 6.0

Affected Packages5 packages

▶NVDadobe/commerce2.4.3+4

▶CVEListV5adobe/adobe_commerce2.4.4-p9

▶NVDadobe/magento2.4.3+4

▶Packagistmagento/community-edition2.4.7-beta1 — 2.4.7-p2+3

▶Packagistmagento/project-community-edition2.0.2

🔴Vulnerability Details

OSV

Magento OS Command ('OS Command Injection') vulnerability↗2024-08-14

▶

CVEList

Adobe Commerce | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)↗2024-08-14

▶

GHSA

Magento OS Command ('OS Command Injection') vulnerability↗2024-08-14

▶