Magento Community-Edition vulnerabilities

CVE-2024-39419 [MEDIUM] CWE-285 Magento Improper Access Control Leads to Privilege escalation Magento Improper Access Control Leads to Privilege escalation Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and modify minor information. Exploitation of this issue does not require us

CVE-2024-39415 [MEDIUM] CWE-285 Magento Improper Authorization Leading to Security feature bypass Magento Improper Authorization Leading to Security feature bypass Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require

CVE-2024-39411 [MEDIUM] CWE-285 Magento Improper Authorization leads to security feature bypass Magento Improper Authorization leads to security feature bypass Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require use

CVE-2024-39412 [MEDIUM] CWE-285 Magento Open Source Improper Authorization vulnerability Magento Open Source Improper Authorization vulnerability Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require user

CVE-2024-39406 [MEDIUM] CWE-22 Magento Open Source Path Traversal vulnerability Magento Open Source Path Traversal vulnerability Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to gain access to files and directories that are outside the restricted directory. Exp

CVE-2024-39413 [MEDIUM] CWE-285 Magento Improper Authorization vulnerability Magento Improper Authorization vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require user interaction.

CVE-2024-39414 [MEDIUM] CWE-284 Magento Improper Access Control Leads to Privilege escalation Magento Improper Access Control Leads to Privilege escalation Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require user in

CVE-2024-34103 [CRITICAL] CWE-287 Magento Open Source Improper Authentication vulnerability Magento Open Source Improper Authentication vulnerability Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorized access or elevated privileges within the application. Exploitation of this issue does not require user interact

CVE-2024-34102 [CRITICAL] CWE-611 Magento Open Source affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability Magento Open Source affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit thi

CVE-2024-34104 [HIGH] CWE-285 Magento Open Source Improper Authorization vulnerability Magento Open Source Improper Authorization vulnerability Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access, leading to both confidentiality and integrity impact. Exploitation of this

CVE-2024-34106 [MEDIUM] CWE-863 Magento Open Source Incorrect Authorization vulnerability Magento Open Source Incorrect Authorization vulnerability Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability to gain unauthorized access or perform actions with the privileges of another user. Exploitation of this issue does not require u

CVE-2024-34111 [MEDIUM] CWE-918 Magento Open Source Server-Side Request Forgery (SSRF) vulnerability Magento Open Source Server-Side Request Forgery (SSRF) vulnerability Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted request to the server, which could then cause the server to execute arbitrary

CVE-2024-34107 [MEDIUM] CWE-284 Magento Open Source Improper Access Control vulnerability Magento Open Source Improper Access Control vulnerability Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.

CVE-2024-34105 [MEDIUM] CWE-79 Magento Open Source Cross-Site Scripting (XSS) vulnerability Magento Open Source Cross-Site Scripting (XSS) vulnerability Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulner

CVE-2024-20758 [HIGH] CWE-20 Magento Open Source allows Improper Input Validation Magento Open Source allows Improper Input Validation Adobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction, but the attack complexity is high.

CVE-2024-20759 [MEDIUM] CWE-79 Magento Open Source allows Cross-Site Scripting (XSS) Magento Open Source allows Cross-Site Scripting (XSS) Adobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulne

CVE-2024-20719 [HIGH] CWE-79 Magento Open Source allows Cross-Site Scripting (XSS) Magento Open Source allows Cross-Site Scripting (XSS) Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin attacker to inject malicious scripts into every admin page. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field, that could be lev

CVE-2024-20720 [HIGH] CWE-78 Magento Open Source allows OS Command Injection Magento Open Source allows OS Command Injection Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction.

CVE-2024-20716 [MEDIUM] CWE-400 Magento Open Source allows Uncontrolled Resource Consumption Magento Open Source allows Uncontrolled Resource Consumption Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to an application denial-of-service. A high-privileged attacker could leverage this vulnerability to exhaust system resources, causing the application to slow down or crash. Exploitation of this is

CVE-2024-20718 [MEDIUM] CWE-352 Magento Open Source allows Cross-Site Request Forgery (CSRF) Magento Open Source allows Cross-Site Request Forgery (CSRF) Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to trick a victim into performing actions they did not intend to do, which could be used to bypass security measures and