CVE-2024-39323

2024-07-0216:15:04

CWE-863

CWE-1220

GitHub_M

web.nvd.nist.gov

aimeos graphql api

improper access control

admin account takeover

vulnerability

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

EPSS

Percentile

15.8%

JSON

aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end. Versions 2022.10.10, 2023.10.6, and 2024.04.6 fix this issue.

Affected configurations

Vulners

Node

aimeosai_admin_jsonadmRange2022.04.1–2022.10.10

aimeosai_admin_jsonadmRange2023.04.1–2023.10.6

aimeosai_admin_jsonadmRange2024.04.1–2024.04.6

VendorProductVersionCPE
aimeosai_admin_jsonadm*cpe:2.3:a:aimeos:ai_admin_jsonadm:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
aimeos	ai_admin_jsonadm	*	cpe:2.3:a:aimeos:ai_admin_jsonadm::::::::

CNA Affected

[
  {
    "vendor": "aimeos",
    "product": "ai-admin-graphql",
    "versions": [
      {
        "version": ">= 2022.04.1, < 2022.10.10",
        "status": "affected"
      },
      {
        "version": ">= 2023.04.1, < 2023.10.6",
        "status": "affected"
      },
      {
        "version": ">= 2024.04.1, < 2024.04.6",
        "status": "affected"
      }
    ]
  }
]