CRITICAL🇵🇱 Wersja polska

CVE-2024-45115

CVSS 9.8v3.1pub. 2024-10-10

Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorized access or elevated privileges within the application. Exploitation of this issue does not require user interaction.

🤖 AI Analysis
How it works

The vulnerability stems from improper implementation of the authentication mechanism (Improper Authentication) in Adobe Commerce. An attacker can remotely send a specially crafted request to the application without possessing any credentials or requiring user interaction. As a result, the identity control mechanism is bypassed, leading to unauthorized access or privilege escalation within the application.

Impact

An attacker can gain unauthorized access to the application or escalate their privileges (privilege escalation), which in the context of an e-commerce platform may mean taking control of store administration, customer data, and system configuration.

Mitigation & patch

Adobe Commerce must be immediately updated to versions higher than 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, and 2.4.4-p10, applying patches described in the vendor's security bulletin APSB24-73 available at: https://helpx.adobe.com/security/products/magento/apsb24-73.html

Who is affected

Adobe Commerce in versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10, and earlier.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Adobe Commerce

    APP
    Adobe
    2.3.72.4.02.4.12.4.22.4.32.4.42.4.52.4.62.4.7
  • Adobe Commerce B2b

    APP
    Adobe
    1.3.31.3.41.3.51.4.2
  • Adobe Magento

    APP
    Adobe
    2.4.32.4.42.4.52.4.62.4.7
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
LPEAuth Bypass
CWE
References

Related vulnerabilities

CVE-2025-54236CRITICAL9.1⚠ KEVPL ✓ten sam produkt

Adobe Commerce/Magento — przejęcie sesji przez Improper Input Validation

CVE-2024-34102CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Krytyczna podatność XXE w Adobe Commerce umożliwiająca RCE

CVE-2022-24086CRITICAL9.8⚠ KEVten sam produkt

Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input va...

CVE-2025-24434CRITICAL9.1PL ✓ten sam produkt

Adobe Commerce — Incorrect Authorization umożliwiające privilege escalation

CVE-2024-39397CRITICAL9.0PL ✓ten sam produkt

Adobe Commerce — RCE poprzez nieograniczony upload niebezpiecznych plików