Magento Project-Community-Edition vulnerabilities

CVE-2025-24429 [LOW] CWE-284 Magento Improper Access Control vulnerability Magento Improper Access Control vulnerability Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.

CVE-2025-24432 [LOW] CWE-367 Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this race condition to alter a condition after it has been checked but before it

CVE-2025-24430 [LOW] CWE-367 Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this race condition to alter a condition after it has been checked but before it

CVE-2024-39402 [HIGH] CWE-78 Magento OS Command ('OS Command Injection') vulnerability Magento OS Command ('OS Command Injection') vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an admin attacker. Exploitation of this issue requires user interaction and scope is changed.

CVE-2024-39398 [HIGH] CWE-307 Magento does not properly restrict excessive authentication attempts Magento does not properly restrict excessive authentication attempts Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Restriction of Excessive Authentication Attempts vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability to perform brute force attacks and potentially gain unauthorized access to acco

CVE-2024-39401 [HIGH] CWE-78 Magento OS Command ('OS Command Injection') vulnerability Magento OS Command ('OS Command Injection') vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an admin attacker. Exploitation of this issue requires user interaction and scope is changed.

CVE-2024-39399 [HIGH] CWE-22 Magento Path Traversal vulnerability Magento Path Traversal vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. A low-privileged attacker could exploit this vulnerability to gain access to files and directories that are outside the restricted directory. Exploitation of this issue

CVE-2024-39403 [HIGH] CWE-79 Magento Stored Cross-Site Scripting (XSS) vulnerability Magento Stored Cross-Site Scripting (XSS) vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable fie

CVE-2024-39400 [HIGH] CWE-79 Magento DOM-based Cross-Site Scripting (XSS) vulnerability Magento DOM-based Cross-Site Scripting (XSS) vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. This vulnerability could allow an admin attacker to inject and execute arbitrary JavaScript code within the context of the user's browser session. Exploitation of this issue requires user interaction, such as convi

CVE-2024-39404 [MEDIUM] CWE-285 Magento Improper Authorization vulnerability Magento Improper Authorization vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and modify minor information. Exploitation of this issue does not require user interaction.

CVE-2024-39416 [MEDIUM] CWE-285 Magento Improper Authorization leads to Security feature bypass Magento Improper Authorization leads to Security feature bypass Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require use

CVE-2024-39418 [MEDIUM] CWE-285 Magento Improper Authorization vulnerability Magento Improper Authorization vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures to view and edit low-sensitivity information. Exploitation of this issue does not require user interaction.

CVE-2024-39405 [MEDIUM] CWE-285 Magento Improper Authorization vulnerability Magento Improper Authorization vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and modify minor information. Exploitation of this issue does not require user interaction.

CVE-2024-39407 [MEDIUM] CWE-285 Magento Improper Authorization vulnerability Magento Improper Authorization vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and modify minor information. Exploitation of this issue does not require user interaction.

CVE-2024-39417 [MEDIUM] CWE-285 Magento Improper Authorization leads to Security feature bypass Magento Improper Authorization leads to Security feature bypass Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require use

CVE-2024-39419 [MEDIUM] CWE-285 Magento Improper Access Control Leads to Privilege escalation Magento Improper Access Control Leads to Privilege escalation Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and modify minor information. Exploitation of this issue does not require us

CVE-2024-39415 [MEDIUM] CWE-285 Magento Improper Authorization Leading to Security feature bypass Magento Improper Authorization Leading to Security feature bypass Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require

CVE-2024-39411 [MEDIUM] CWE-285 Magento Improper Authorization leads to security feature bypass Magento Improper Authorization leads to security feature bypass Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require use

CVE-2024-39413 [MEDIUM] CWE-285 Magento Improper Authorization vulnerability Magento Improper Authorization vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require user interaction.

CVE-2024-39414 [MEDIUM] CWE-284 Magento Improper Access Control Leads to Privilege escalation Magento Improper Access Control Leads to Privilege escalation Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require user in