CVE-2024-39410 — Cross-Site Request Forgery in Adobe Commerce

CWE-352 — Cross-Site Request Forgery6 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 56.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Magento Community-edition Adobe Commerce Adobe Commerce +1 more

Timeline

PublishedAug 14

Latest updateOct 15

Description

Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could allow an attacker to bypass security features and perform minor integrity changes on behalf of a user. The vulnerability could be exploited by tricking a victim into clicking a link or loading a page that submits a malicious request. Exploitation of this issue does not require user interaction.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDadobe/commerce2.4.3+4

▶CVEListV5adobe/adobe_commerce2.4.4-p9

▶NVDadobe/magento2.4.3+4

▶Packagistmagento/community-edition2.4.7-p1 — 2.4.7-p2+3

🔴Vulnerability Details

OSV

Magento Open Source Cross-Site Request Forgery (CSRF) vulnerability↗2024-08-14

▶

GHSA

Magento Open Source Cross-Site Request Forgery (CSRF) vulnerability↗2024-08-14

▶

CVEList

Adobe Commerce | Cross-Site Request Forgery (CSRF) (CWE-352)↗2024-08-14

▶

📋Vendor Advisories

Oracle

Oracle Oracle GoldenGate Risk Matrix: Spark (Apache Avro Java) — CVE-2023-39410↗2024-10-15

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: BPM Composer (Apache Avro) — CVE-2023-39410↗2024-01-15

▶