Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorized access or elevated privileges within the application. Exploitation of this issue does not require user interaction.
The vulnerability stems from improper implementation of the authentication mechanism (Improper Authentication) in Adobe Commerce. An attacker can remotely send a specially crafted request to the application without possessing any credentials or requiring user interaction. As a result, the identity control mechanism is bypassed, leading to unauthorized access or privilege escalation within the application.
An attacker can gain unauthorized access to the application or escalate their privileges (privilege escalation), which in the context of an e-commerce platform may mean taking control of store administration, customer data, and system configuration.
Adobe Commerce must be immediately updated to versions higher than 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, and 2.4.4-p10, applying patches described in the vendor's security bulletin APSB24-73 available at: https://helpx.adobe.com/security/products/magento/apsb24-73.html
Adobe Commerce in versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10, and earlier.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAdobe Commerce
APPAdobe2.3.72.4.02.4.12.4.22.4.32.4.42.4.52.4.62.4.7Adobe Commerce B2b
APPAdobe1.3.31.3.41.3.51.4.2Adobe Magento
APPAdobe2.4.32.4.42.4.52.4.62.4.7
Related vulnerabilities
Adobe Commerce/Magento — przejęcie sesji przez Improper Input Validation
Krytyczna podatność XXE w Adobe Commerce umożliwiająca RCE
Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input va...
Adobe Commerce — Incorrect Authorization umożliwiające privilege escalation
Adobe Commerce — RCE poprzez nieograniczony upload niebezpiecznych plików