CVE-2024-20718 – [Spain] CSRF to delete Requisition Lists at Adobe Commerce
https://notcve.org/view.php?id=CVE-2024-20718
Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to trick a victim into performing actions they did not intend to do, which could be used to bypass security measures and gain unauthorized access. Exploitation of this issue requires user interaction, typically in the form of the victim clicking a link or visiting a malicious website. Las versiones 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 y anteriores de Adobe Commerce se ven afectadas por una vulnerabilidad de Cross-Site Request Forgery (CSRF) que podría provocar la omisión de una función de seguridad. Un atacante podría aprovechar esta vulnerabilidad para engañar a una víctima para que realice acciones que no tenía intención de realizar, lo que podría utilizarse para eludir las medidas de seguridad y obtener acceso no autorizado. • https://helpx.adobe.com/security/products/magento/apsb24-03.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2024-20719 – [Adobe Commerce] Stored XSS from low privileged admin user on every admin page, bypassing CVE-2023-29297
https://notcve.org/view.php?id=CVE-2024-20719
Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin attacker to inject malicious scripts into every admin page. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field, that could be leveraged to gain admin access. Las versiones 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 y anteriores de Adobe Commerce se ven afectadas por una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado que podría ser aprovechada por un atacante administrador para inyectar secuencias de comandos maliciosas en cada página administrada. Se puede ejecutar JavaScript malicioso en el navegador de la víctima cuando navega a la página que contiene el campo vulnerable, que podría aprovecharse para obtener acceso de administrador. • https://helpx.adobe.com/security/products/magento/apsb24-03.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-20720 – Command injection in data collector backup due to insufficient patching of CVE-2023-38208
https://notcve.org/view.php?id=CVE-2024-20720
Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction. Las versiones 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 y anteriores de Adobe Commerce se ven afectadas por una neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando del sistema operativo ('inyección de comando del sistema operativo') eso podría provocar la ejecución de código arbitrario por parte de un atacante. La explotación de este problema no requiere la interacción del usuario. • https://helpx.adobe.com/security/products/magento/apsb24-03.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2023-38251 – Adobe Commerce | Uncontrolled Resource Consumption (CWE-400)
https://notcve.org/view.php?id=CVE-2023-38251
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a Uncontrolled Resource Consumption vulnerability that could lead in minor application denial-of-service. Exploitation of this issue does not require user interaction. Las versiones de Adobe Commerce 2.4.7-beta1 (y anteriores), 2.4.6-p2 (y anteriores), 2.4.5-p4 (y anteriores) y 2.4.4-p5 (y anteriores) se ven afectadas por una vulnerabilidad de Consumo de Recursos Incontrolados eso podría provocar una Denegación de Servicio (DoS) menor en una aplicación. La explotación de este problema no requiere la interacción del usuario. • https://helpx.adobe.com/security/products/magento/apsb23-50.html • CWE-400: Uncontrolled Resource Consumption •
CVE-2023-38219 – Validate Your Inputs | Cross-site Scripting (Stored XSS) (CWE-79) - Customer to Admin stored XSS with Gift wrapping
https://notcve.org/view.php?id=CVE-2023-38219
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Payload is stored in an admin area, resulting in high confidentiality and integrity impact. Las versiones de Adobe Commerce 2.4.7-beta1 (y anteriores), 2.4.6-p2 (y anteriores), 2.4.5-p4 (y anteriores) y 2.4.4-p5 (y anteriores) se ven afectadas por una vulnerabilidad de Cross-Site Scripting (XSS) Almacenada de la que un atacante con pocos privilegios podría abusar para inyectar scripts maliciosos en campos de formulario vulnerables. Se puede ejecutar JavaScript malicioso en el navegador de la víctima cuando navega a la página que contiene el campo vulnerable. • https://helpx.adobe.com/security/products/magento/apsb23-50.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •