Lucene search

AdobeVULNRICHMENT:CVE-2024-34103

HistoryJun 13, 2024 - 9:05 a.m.

CVE-2024-34103 Customer account takeover via web API call & subsequent password reset

2024-06-1309:05:01

CWE-287

adobe

github.com

cve-2024-34103

customer account takeover

web api

password reset

adobe commerce

improper authentication

privilege escalation

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

Low

EPSS

0.001

Percentile

41.2%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorized access or elevated privileges within the application. Exploitation of this issue does not require user interaction, but attack complexity is high.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:adobe:commerce:-:*:*:*:*:*:*:*"
    ],
    "vendor": "adobe",
    "product": "commerce",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "2.4.7"
      },
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "2.4.6-p5"
      },
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "2.4.5-p7"
      },
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "2.4.4-p8"
      },
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "2.4.3-ext-7"
      },
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "2.4.2-ext-7"
      },
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "2.4.1-ext-7"
      },
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "2.4.0-ext-7"
      },
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "2.3.7-p4-ext-7"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

helpx.adobe.com/security/products/magento/apsb24-40.html

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

Low

EPSS

0.001

Percentile

41.2%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2024-34103