June 26, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
CISA Alerts of Microsoft SharePoint Vulnerability Actively Exploited
October 24, 2024Novel Grandoreiro Banking Malware Variants Arise with Sophisticated Strategies to Avoid Detection – Active IOCs
October 24, 2024CISA Alerts of Microsoft SharePoint Vulnerability Actively Exploited
October 24, 2024Novel Grandoreiro Banking Malware Variants Arise with Sophisticated Strategies to Avoid Detection – Active IOCs
October 24, 2024
Severity
High
Analysis Summary
CVE-2024-45120 CVSS:4.3
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could lead to a security feature bypass. An attacker could exploit this vulnerability to alter a condition between the check and the use of a resource, having a low impact on integrity. Exploitation of this issue requires user interaction.
CVE-2024-45119 CVSS:5.6
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A low-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs and have a low impact on both confidentiality and integrity. Exploitation of this issue does not require user interaction and scope is changed.
CVE-2024-45118 CVSS:6.5
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have high impact on integrity. Exploitation of this issue does not require user interaction.
CVE-2024-45117 CVSS:7.6
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read. An admin attacker could exploit this vulnerability to read files from the system outside of the intended directories via PHP filter chain and also can have a low-availability impact on the service. Exploitation of this issue does not require user interaction and scope is changed.
CVE-2024-45116 CVSS:8.1
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by a Cross-Site Scripting (XSS) vulnerability that could be exploited to execute arbitrary code. If an admin attacker can trick a user into clicking a specially crafted link or submitting a form, malicious scripts may be executed within the context of the victim's browser and have high impact on confidentiality and integrity. Exploitation of this issue requires user interaction.
CVE-2024-45115 CVSS:9.8
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorized access or elevated privileges within the application. Exploitation of this issue does not require user interaction.
Impact
- Gain Access
- Security Bypass
- Cross-Site Scripting
- Information Disclosure
Indicators of Compromise
CVE
- CVE-2024-45120
- CVE-2024-45119
- CVE-2024-45118
- CVE-2024-45117
- CVE-2024-45116
- CVE-2024-45115
Affected Vendors
Adobe
Affected Products
- Adobe Commerce - 2.4.7-p2
- Adobe Commerce B2B - 1.4.2-p2
- Adobe Magento Open Source - 2.4.7-p2
Remediation
Refer to Adobe Security Advisory for patch, upgrade or suggested workaround information.