CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39419 – A user without ship permissions can ship the orders
https://notcve.org/view.php?id=CVE-2024-39419
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and modify minor information. Exploitation of this issue does not require user interaction. • https://helpx.adobe.com/security/products/magento/apsb24-61.html • CWE-285: Improper Authorization •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39403 – Stored XSS through Webhook module public key configuration
https://notcve.org/view.php?id=CVE-2024-39403
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Confidentiality impact is high due to the attacker being able to exfiltrate sensitive information. • https://helpx.adobe.com/security/products/magento/apsb24-61.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39418 – Adobe Commerce | Improper Authorization (CWE-285)
https://notcve.org/view.php?id=CVE-2024-39418
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures to view and edit low-sensitivity information. Exploitation of this issue does not require user interaction. • https://helpx.adobe.com/security/products/magento/apsb24-61.html • CWE-285: Improper Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39413 – An unauthorized user can export the Invoiced Sales Report
https://notcve.org/view.php?id=CVE-2024-39413
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require user interaction. • https://helpx.adobe.com/security/products/magento/apsb24-61.html • CWE-285: Improper Authorization •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39399 – [Paris] Path Traversal lead to local file read
https://notcve.org/view.php?id=CVE-2024-39399
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. A low-privileged attacker could exploit this vulnerability to gain access to files and directories that are outside the restricted directory. Exploitation of this issue does not require user interaction and scope is changed. • https://helpx.adobe.com/security/products/magento/apsb24-61.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •