CVE-2025-24406

CWE-22Path Traversal4 documents4 sources
Severity
7.5HIGH
EPSS
0.2%
top 53.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Adobe CommerceAdobe Commerce B2BAdobe Magento+3 more
Timeline
PublishedFeb 11

Description

Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to a security feature bypass. An unauthenticated attacker could exploit this vulnerability to modify files that are stored outside the restricted directory. Exploitation of this issue does not require user interaction.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

NVDadobe/commerce< 2.4.4+5
NVDadobe/commerce_b2b< 1.3.3+5
CVEListV5adobe/adobe_commerce2.4.8-beta1
NVDadobe/magento< 2.4.4+5
Packagistmagento/community-edition2.4.7-beta12.4.7-p4+3

🔴Vulnerability Details

3
GHSA
Adobe Commerce Path Traversal2025-02-11
OSV
Adobe Commerce Path Traversal2025-02-11
CVEList
Adobe Commerce | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)2025-02-11
CVE-2025-24406 (HIGH CVSS 7.5) | Adobe Commerce versions 2.4.8-beta1 | cvebase.io