Magento Community-Edition vulnerabilities

355 known vulnerabilities affecting magento/community-edition.

Total CVEs

355

CISA KEV

actively exploited

Public exploits

Exploited in wild

Severity breakdown

CRITICAL41HIGH105MEDIUM192LOW17

Vulnerabilities

Page 4 of 18

CVE-2024-45119MEDIUM≥ 2.4.7-beta1, < 2.4.7-p3≥ 2.4.6-p1, < 2.4.6-p8+2 more2024-10-10

CVE-2024-45119 [MEDIUM] CWE-918 Magento Open Source Server-Side Request Forgery (SSRF) vulnerability Magento Open Source Server-Side Request Forgery (SSRF) vulnerability Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. An admin-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitat

ghsaosv

CVE-2024-45131MEDIUM≥ 2.4.7-beta1, < 2.4.7-p3≥ 2.4.6-p1, < 2.4.6-p8+2 more2024-10-10

CVE-2024-45131 [MEDIUM] CWE-285 Magento Open Source Improper Authorization vulnerability Magento Open Source Improper Authorization vulnerability Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on confidentiality and integrity. Exploitation of this iss

ghsaosv

CVE-2024-45134MEDIUM≥ 2.4.7-beta1, < 2.4.7-p3≥ 2.4.6-p1, < 2.4.6-p8+2 more2024-10-10

CVE-2024-45134 [MEDIUM] CWE-200 Magento Open Source Information Exposure vulnerability Magento Open Source Information Exposure vulnerability Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Information Exposure vulnerability that could result in a security feature bypass. An admin attacker could leverage this vulnerability to have a low impact on confidentiality which may aid in further attacks. Exploitation of this issue does not require user

ghsaosv

CVE-2024-45120MEDIUM≥ 2.4.7-beta1, < 2.4.7-p3≥ 2.4.6-p1, < 2.4.6-p8+2 more2024-10-10

CVE-2024-45120 [MEDIUM] CWE-367 Magento Open Source Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability Magento Open Source Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could lead to a security feature bypass. An attacker could exploit this vulnerability to alter a condition between the check and the use

ghsaosv

CVE-2024-45149LOW≥ 2.4.7-beta1, < 2.4.7-p3≥ 2.4.6-p1, < 2.4.6-p8+2 more2024-10-10

CVE-2024-45149 [LOW] CWE-284 Magento Open Source Improper Access Control vulnerability Magento Open Source Improper Access Control vulnerability Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on confidentiality. Exploitation of this issue does not r

ghsaosv

CVE-2024-39402HIGH≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14

CVE-2024-39402 [HIGH] CWE-78 Magento OS Command ('OS Command Injection') vulnerability Magento OS Command ('OS Command Injection') vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an admin attacker. Exploitation of this issue requires user interaction and scope is changed.

ghsaosv

CVE-2024-39398HIGH≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14

CVE-2024-39398 [HIGH] CWE-307 Magento does not properly restrict excessive authentication attempts Magento does not properly restrict excessive authentication attempts Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Restriction of Excessive Authentication Attempts vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability to perform brute force attacks and potentially gain unauthorized access to acco

ghsaosv

CVE-2024-39401HIGH≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14

CVE-2024-39401 [HIGH] CWE-78 Magento OS Command ('OS Command Injection') vulnerability Magento OS Command ('OS Command Injection') vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an admin attacker. Exploitation of this issue requires user interaction and scope is changed.

ghsaosv

CVE-2024-39399HIGH≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14

CVE-2024-39399 [HIGH] CWE-22 Magento Path Traversal vulnerability Magento Path Traversal vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. A low-privileged attacker could exploit this vulnerability to gain access to files and directories that are outside the restricted directory. Exploitation of this issue

ghsaosv

CVE-2024-39403HIGH≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14

CVE-2024-39403 [HIGH] CWE-79 Magento Stored Cross-Site Scripting (XSS) vulnerability Magento Stored Cross-Site Scripting (XSS) vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable fie

ghsaosv

CVE-2024-39400HIGH≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14

CVE-2024-39400 [HIGH] CWE-79 Magento DOM-based Cross-Site Scripting (XSS) vulnerability Magento DOM-based Cross-Site Scripting (XSS) vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. This vulnerability could allow an admin attacker to inject and execute arbitrary JavaScript code within the context of the user's browser session. Exploitation of this issue requires user interaction, such as convi

ghsaosv

CVE-2024-39404MEDIUM≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14

CVE-2024-39404 [MEDIUM] CWE-285 Magento Improper Authorization vulnerability Magento Improper Authorization vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and modify minor information. Exploitation of this issue does not require user interaction.

ghsaosv

CVE-2024-39408MEDIUM≥ 2.4.7-p1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14

CVE-2024-39408 [MEDIUM] CWE-352 Magento Open Source Cross-Site Request Forgery vulnerability Magento Open Source Cross-Site Request Forgery vulnerability Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could allow an attacker to bypass security features and perform minor unauthorised actions on behalf of a user. The vulnerability could be exploited by tricking a victim into clicking a link or

ghsaosv

CVE-2024-39416MEDIUM≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14

CVE-2024-39416 [MEDIUM] CWE-285 Magento Improper Authorization leads to Security feature bypass Magento Improper Authorization leads to Security feature bypass Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require use

ghsaosv

CVE-2024-39410MEDIUM≥ 2.4.7-p1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14

CVE-2024-39410 [MEDIUM] CWE-352 Magento Open Source Cross-Site Request Forgery (CSRF) vulnerability Magento Open Source Cross-Site Request Forgery (CSRF) vulnerability Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could allow an attacker to bypass security features and perform minor unauthorised actions on behalf of a user. The vulnerability could be exploited by tricking a victim into click

ghsaosv

CVE-2024-39418MEDIUM≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14

CVE-2024-39418 [MEDIUM] CWE-285 Magento Improper Authorization vulnerability Magento Improper Authorization vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures to view and edit low-sensitivity information. Exploitation of this issue does not require user interaction.

ghsaosv

CVE-2024-39409MEDIUM≥ 2.4.7-p1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14

CVE-2024-39409 [MEDIUM] CWE-352 Magento Open Source Cross-Site Request Forgery (CSRF) vulnerability Magento Open Source Cross-Site Request Forgery (CSRF) vulnerability Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could allow an attacker to bypass security features and perform minor unauthorised actions on behalf of a user. The vulnerability could be exploited by tricking a victim into click

ghsaosv

CVE-2024-39405MEDIUM≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14

CVE-2024-39405 [MEDIUM] CWE-285 Magento Improper Authorization vulnerability Magento Improper Authorization vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and modify minor information. Exploitation of this issue does not require user interaction.

ghsaosv

CVE-2024-39407MEDIUM≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14

CVE-2024-39407 [MEDIUM] CWE-285 Magento Improper Authorization vulnerability Magento Improper Authorization vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and modify minor information. Exploitation of this issue does not require user interaction.

ghsaosv

CVE-2024-39417MEDIUM≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14

CVE-2024-39417 [MEDIUM] CWE-285 Magento Improper Authorization leads to Security feature bypass Magento Improper Authorization leads to Security feature bypass Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require use

ghsaosv

← Previous4 / 18Next →