CVE-2024-39323 – aimeos/ai-admin-graphql

Package

Manager: composer
Name: aimeos/ai-admin-graphql
Vulnerable Version: >=2022.04.1 <2022.10.10 || >=2023.04.1 <2023.10.6 || >=2024.04.1 <2024.04.6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00105 pctl0.29202

Details

aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end. Versions 2022.10.10, 2023.10.6, and 2024.04.6 fix this issue.

Metadata

Created: 2024-07-02T21:20:33Z
Modified: 2024-07-05T17:54:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-vc7j-99jw-jrqm/GHSA-vc7j-99jw-jrqm.json
CWE IDs: ["CWE-1220", "CWE-863"]
Alternative ID: GHSA-vc7j-99jw-jrqm
Finding: F006
Auto approve: 1